dcrat | fe96ae8bd988e21b4bb52513ca43192b9adbc73c622cb6abc9a3145ec7823040

Analysis

max time kernel
68s
max time network
61s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Size

2.7MB
MD5

4d9be74be06728c10b25ef019f7ff0b3
SHA1

10c41cfa6c5dbec839759e9fd6971e57311ea76a
SHA256

f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343
SHA512

5e5b6b7a1fe66625b95d83fa2c0c77defe75c328cea02418179ce674134de65a1a2e3fc1e281d12448ac931cd803238205f0a71be73deee473d562d5ca3fd96f
SSDEEP

49152:VRx6mfxiUnp3jfmEXD9KxZU9IaK3clnUezzuuLjaO7e:b40VJ5XQxZUyrctHNyse

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2924	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2924	schtasks.exe	29

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3004-1-0x0000000001300000-0x00000000015B4000-memory.dmp	dcrat
behavioral1/files/0x00050000000195c1-28.dat	dcrat
behavioral1/files/0x000600000001a3fd-71.dat	dcrat
behavioral1/files/0x000a00000001a3f6-130.dat	dcrat
behavioral1/files/0x000600000001a03c-197.dat	dcrat
behavioral1/memory/1648-209-0x0000000001270000-0x0000000001524000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1648	lsm.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\101b941d020240	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\OSPPSVC.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\RCX11C6.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCX13EA.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCX13FB.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCX1B9E.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\lsm.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\lsm.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\OSPPSVC.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\spoolsv.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\101b941d020240	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\lsass.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\6203df4a6bafc7	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\lsass.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\c5b4cb5e9653cc	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\spoolsv.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\RCXA90.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCX1BAF.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\RCXB1D.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\RCXD30.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\lsm.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\1610b97d3ab4a7	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\f3b6ecef712a24	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\lsm.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\RCXD41.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\RCX11E7.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX18A0.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX191D.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\services.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Windows\ja-JP\c5b4cb5e9653cc	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\ja-JP\RCX1FE6.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\ja-JP\RCX2006.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\ja-JP\services.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
760	schtasks.exe
1264	schtasks.exe
756	schtasks.exe
1032	schtasks.exe
1004	schtasks.exe
3040	schtasks.exe
2648	schtasks.exe
844	schtasks.exe
1792	schtasks.exe
2708	schtasks.exe
744	schtasks.exe
2240	schtasks.exe
2644	schtasks.exe
2200	schtasks.exe
2700	schtasks.exe
2912	schtasks.exe
3068	schtasks.exe
2236	schtasks.exe
2600	schtasks.exe
1148	schtasks.exe
1532	schtasks.exe
2736	schtasks.exe
1668	schtasks.exe
2188	schtasks.exe
1804	schtasks.exe
2592	schtasks.exe
2224	schtasks.exe
1920	schtasks.exe
1280	schtasks.exe
524	schtasks.exe
3024	schtasks.exe
2416	schtasks.exe
3056	schtasks.exe
3064	schtasks.exe
2364	schtasks.exe
916	schtasks.exe
2988	schtasks.exe
2440	schtasks.exe
1748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3004	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
3004	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
3004	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
1648	lsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Token: SeDebugPrivilege	1648	lsm.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1648	3004	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	69
PID 3004 wrote to memory of 1648	3004	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	69
PID 3004 wrote to memory of 1648	3004	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	69

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
"C:\Users\Admin\AppData\Local\Temp\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3004
- C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe
  "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe

Filesize
2.7MB

MD5
199283c88d25ef3fac072900dee7216d

SHA1
e1a3a1d7b8852b87e32a607e5b814b013da3ae59

SHA256
535df75606777f9a9b2f432daf9b7963dc3183778e194a6e3984d1154edacb4c

SHA512
efb3492721bbe260f2a712265b619dae6469a1b2eb8c1583355c05f9b3e9de207529afa459c31dc725b8a7c8788aa73ea7826745337c8864b45128c46ef14a23

Download Submit
C:\Program Files (x86)\Windows Mail\ja-JP\OSPPSVC.exe

Filesize
2.7MB

MD5
32c9d8be3e3dbeb7cad6b6519ac0749d

SHA1
6e11541fbb029334f0e02582657cb6153750ff09

SHA256
06bbd628a62f51709c45f91e7ccd7e2388f3cb596e1c09d62aef236299f998f7

SHA512
a17524629ae2d8235b6ceec2a23f94bbe982d7c77c8e12e76c1e682d610784c3b88ed0433e9e185e86eecf94d673187ddead465d5634aabd017a4bdb1807c54d

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\lsm.exe

Filesize
2.7MB

MD5
4d9be74be06728c10b25ef019f7ff0b3

SHA1
10c41cfa6c5dbec839759e9fd6971e57311ea76a

SHA256
f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343

SHA512
5e5b6b7a1fe66625b95d83fa2c0c77defe75c328cea02418179ce674134de65a1a2e3fc1e281d12448ac931cd803238205f0a71be73deee473d562d5ca3fd96f

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe

Filesize
2.7MB

MD5
9ea806201460894b8e0b979e4de7a178

SHA1
144b190834617663a622da296984e6152f3bf9c8

SHA256
0c708a62c29c7a1834a78dfb0f79438f3c2025adccc4c57dd16312aabd05fca2

SHA512
247cf12453cea686f18fee9e508429a96790d0dcded189a8f628bb2b2e0904feb7d3f167ab982204d11ab19c53943d306b45fc5cfb787871665be6ec3bb530d9

Download Submit
memory/1648-211-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/1648-209-0x0000000001270000-0x0000000001524000-memory.dmp

Filesize
2.7MB

Download
memory/3004-7-0x0000000000710000-0x0000000000726000-memory.dmp

Filesize
88KB

Download
memory/3004-17-0x00000000012C0000-0x00000000012CC000-memory.dmp

Filesize
48KB

Download
memory/3004-8-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/3004-9-0x0000000000740000-0x000000000074A000-memory.dmp

Filesize
40KB

Download
memory/3004-10-0x0000000000AA0000-0x0000000000AF6000-memory.dmp

Filesize
344KB

Download
memory/3004-11-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/3004-12-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/3004-13-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/3004-14-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/3004-15-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/3004-16-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

Filesize
56KB

Download
memory/3004-0-0x000007FEF66E3000-0x000007FEF66E4000-memory.dmp

Filesize
4KB

Download
memory/3004-18-0x00000000012D0000-0x00000000012DA000-memory.dmp

Filesize
40KB

Download
memory/3004-19-0x00000000012E0000-0x00000000012EC000-memory.dmp

Filesize
48KB

Download
memory/3004-6-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/3004-5-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/3004-4-0x0000000000560000-0x000000000057C000-memory.dmp

Filesize
112KB

Download
memory/3004-133-0x000007FEF66E3000-0x000007FEF66E4000-memory.dmp

Filesize
4KB

Download
memory/3004-144-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/3004-3-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/3004-2-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/3004-210-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/3004-1-0x0000000001300000-0x00000000015B4000-memory.dmp

Filesize
2.7MB

Download