dcrat | 247f07902013628a4d5caac424e0c89e7be33a74ae471e34b05c8f0719ed27dd

Analysis

max time kernel
100s
max time network
30s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
Size

1.5MB
MD5

0e5b3ecf966d69237ed141111fa27b8f
SHA1

48059f1a5f4bb73e24d7ff80dcc068d7623ddc4a
SHA256

247f07902013628a4d5caac424e0c89e7be33a74ae471e34b05c8f0719ed27dd
SHA512

35489f20916daed3fdcb00903af13eb726ed557c72c160b40df31d4a2dc1f70931baf99e1c8a7c0ce4f64b98e224a96a3902b10b254bafe5ea15f4ea5bd03bbe
SSDEEP

24576:8eaMajUi+6C+mDjn7gbkFaSH7Wu4mIWGE1Sy/fBEXTHhaTEEER71RM4I13GS:8eaj9bHmMbkBHVdGE1Sy/ujhaIh+1h

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2792-1-0x0000000000E00000-0x0000000000F8E000-memory.dmp	dcrat
behavioral1/files/0x0005000000019c3a-26.dat	dcrat
behavioral1/files/0x000500000001a5d4-59.dat	dcrat
behavioral1/files/0x0006000000019db8-140.dat	dcrat
behavioral1/memory/348-222-0x0000000000900000-0x0000000000A8E000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe

Executes dropped EXE 1 IoCs

pid	Process
348	sppsvc.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\886983d96e3d3e	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files\Google\0a1fd5f707cd16	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\69ddcba757bf72	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files\Windows Defender\fr-FR\63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\dwm.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\RCXF7D8.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCX4D0.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\RCX7B0.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files\Google\sppsvc.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files\Google\RCXFE55.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCX4D1.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\dwm.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\886983d96e3d3e	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\spoolsv.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXE2B.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCX12A1.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\6cb0b6c459d5d3	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\RCXF847.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\RCX742.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files\Windows Defender\fr-FR\38a1b1a24196dd	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\886983d96e3d3e	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\RCX5A.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files\Google\RCXFE54.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\RCX59.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCX25E.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\f3b6ecef712a24	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCX25F.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Program Files\Google\sppsvc.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCX131F.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\spoolsv.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXE2A.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\schemas\AvailableNetwork\lsass.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Windows\Registration\CRMLog\dllhost.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Windows\schemas\AvailableNetwork\6203df4a6bafc7	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Windows\Registration\CRMLog\dllhost.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCX109D.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCX109C.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Windows\Registration\CRMLog\5940a34987c991	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File created	C:\Windows\schemas\AvailableNetwork\lsass.exe	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXBB8.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXBB9.tmp	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1972	schtasks.exe
2020	schtasks.exe
1752	schtasks.exe
2276	schtasks.exe
1292	schtasks.exe
2512	schtasks.exe
1472	schtasks.exe
2624	schtasks.exe
1996	schtasks.exe
596	schtasks.exe
2292	schtasks.exe
2408	schtasks.exe
1580	schtasks.exe
2204	schtasks.exe
716	schtasks.exe
2300	schtasks.exe
1192	schtasks.exe
2440	schtasks.exe
2968	schtasks.exe
2076	schtasks.exe
1012	schtasks.exe
1572	schtasks.exe
2856	schtasks.exe
2592	schtasks.exe
996	schtasks.exe
1696	schtasks.exe
848	schtasks.exe
1932	schtasks.exe
1568	schtasks.exe
772	schtasks.exe
1428	schtasks.exe
556	schtasks.exe
1848	schtasks.exe
2648	schtasks.exe
2128	schtasks.exe
1944	schtasks.exe
1676	schtasks.exe
2052	schtasks.exe
480	schtasks.exe
2916	schtasks.exe
2248	schtasks.exe
2200	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
348	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe
348	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
Token: SeDebugPrivilege	348	sppsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 940	2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe	74
PID 2792 wrote to memory of 940	2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe	74
PID 2792 wrote to memory of 940	2792	63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe	74
PID 940 wrote to memory of 336	940	cmd.exe	76
PID 940 wrote to memory of 336	940	cmd.exe	76
PID 940 wrote to memory of 336	940	cmd.exe	76
PID 940 wrote to memory of 348	940	cmd.exe	77
PID 940 wrote to memory of 348	940	cmd.exe	77
PID 940 wrote to memory of 348	940	cmd.exe	77
PID 940 wrote to memory of 348	940	cmd.exe	77
PID 940 wrote to memory of 348	940	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe
"C:\Users\Admin\AppData\Local\Temp\63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vQv3iUx6r8.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:336
- - C:\Program Files\Google\sppsvc.exe
    "C:\Program Files\Google\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\audiodg.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N6" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N6" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\fr-FR\63289e02c0b42631262e362fe5718f68fe60efe6c3d38729a02715f312f61e17N.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\schemas\AvailableNetwork\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\schemas\AvailableNetwork\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe

Filesize
1.5MB

MD5
6dcf1c9cb2f14b51df1f4c749979a13a

SHA1
f253457c37d8fb09a60467b69eb0fb6895ef1f02

SHA256
87ee788142b77e2b8c7fb38b9b2644d96ddda2c1c51ff56f23ac41c8f53c83da

SHA512
3a4595d630d181938782fe3435312e6dcc90756837a8fb69fcf5d20eaa6a80d39acea3e267b1fea70929880b969ce2e2963f2f5e765576b0b167ad1d7c474442

Download Submit
C:\Program Files (x86)\Windows Mail\es-ES\dwm.exe

Filesize
1.5MB

MD5
e5b5ba3aaf700c82aef1cfba9f55a578

SHA1
dbfe15a823ad3c0907873f586ab80cdc16b1144f

SHA256
a2926c1160e998c7a0d24cc88f9651d0a3b35384605d003a31d5e01046731dc9

SHA512
621a5768e42dee13915ec8dcdb140b242da2c1546177874ef3e5ef4dc4f52774c15c7eb82ee245002c9ecccde09ce0a0c79aa0f42d18687793c4ee5350c69a5c

Download Submit
C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe

Filesize
1.5MB

MD5
0e5b3ecf966d69237ed141111fa27b8f

SHA1
48059f1a5f4bb73e24d7ff80dcc068d7623ddc4a

SHA256
247f07902013628a4d5caac424e0c89e7be33a74ae471e34b05c8f0719ed27dd

SHA512
35489f20916daed3fdcb00903af13eb726ed557c72c160b40df31d4a2dc1f70931baf99e1c8a7c0ce4f64b98e224a96a3902b10b254bafe5ea15f4ea5bd03bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQv3iUx6r8.bat

Filesize
199B

MD5
e3ca7ba3f9f5da4494da2a94e149fd66

SHA1
3b8029fd6ba3969735776600bcf79fb331ae7240

SHA256
5274f34115b23152b0b72b83284c349edd7bdd96e5c362ebff6e493ec50af275

SHA512
2064a0076554de9fd60cf71e59acaabfffd0ed7f2b6d96c5991ab6d5f5ff3f6c997fe4ab6d94c7d540552d2e328463035263c34e8be6e705bf9251826be3e32c

Download Submit
memory/348-222-0x0000000000900000-0x0000000000A8E000-memory.dmp

Filesize
1.6MB

Download
memory/2792-8-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2792-10-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2792-11-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2792-16-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/2792-15-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2792-14-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/2792-13-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2792-12-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/2792-19-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2792-7-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2792-5-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2792-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2792-4-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2792-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2792-199-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2792-212-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-219-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-1-0x0000000000E00000-0x0000000000F8E000-memory.dmp

Filesize
1.6MB

Download