dcrat | f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Size

2.7MB
MD5

974e955c30ae5c68c82af0fd2001c330
SHA1

f52e77c911f388ba9ec33a6f5c18450c440cfb52
SHA256

f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21
SHA512

298319af2faf835ee81496c950e45f9e4ea70dbc9d7406c854dfa1a12411c0be6503ee9e9fca179ad035df2698877a2ed6458a1ad096fdf088b555227a711653
SSDEEP

49152:MDkZWCF2T8juUND4YQxZzfllulb0fnyN27mEGnjYEhQ+QK:t4CF2sjELplCbmyN27PxEhQ+

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2668	schtasks.exe	31

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1056-1-0x0000000001160000-0x0000000001414000-memory.dmp	dcrat
behavioral1/files/0x0006000000016b86-28.dat	dcrat
behavioral1/files/0x000b000000015d0a-92.dat	dcrat
behavioral1/files/0x00080000000164de-103.dat	dcrat
behavioral1/files/0x000d000000016b86-161.dat	dcrat
behavioral1/files/0x0008000000016cab-172.dat	dcrat
behavioral1/memory/2908-195-0x0000000000D60000-0x0000000001014000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2908	dwm.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\sppsvc.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\RCXECFA.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\dllhost.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\RCXF171.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\b75386f1303e64	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\sppsvc.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files\Microsoft Games\Solitaire\it-IT\wininit.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files\Microsoft Games\Hearts\42af1c969fbb7b	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\audiodg.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files\Microsoft Games\Hearts\audiodg.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXEAF6.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\RCXECFB.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\wininit.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\0a1fd5f707cd16	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files\Microsoft Games\Solitaire\it-IT\56085415360792	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\dllhost.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCXEF6C.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\5940a34987c991	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCXE17B.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCXE18C.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\RCXF172.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXEA88.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCXEF6D.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\RCXF377.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\smss.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\schemas\TSWorkSpace\WMIADAP.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\smss.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\69ddcba757bf72	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\RCXF376.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2116	schtasks.exe
1564	schtasks.exe
1940	schtasks.exe
1448	schtasks.exe
1696	schtasks.exe
2732	schtasks.exe
1640	schtasks.exe
2360	schtasks.exe
316	schtasks.exe
2788	schtasks.exe
2708	schtasks.exe
1476	schtasks.exe
692	schtasks.exe
2936	schtasks.exe
1216	schtasks.exe
1032	schtasks.exe
1344	schtasks.exe
2920	schtasks.exe
2896	schtasks.exe
2396	schtasks.exe
2724	schtasks.exe
2656	schtasks.exe
3060	schtasks.exe
1944	schtasks.exe
2848	schtasks.exe
1684	schtasks.exe
1372	schtasks.exe
2436	schtasks.exe
2356	schtasks.exe
3008	schtasks.exe
1244	schtasks.exe
2800	schtasks.exe
2860	schtasks.exe
2552	schtasks.exe
2644	schtasks.exe
1240	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1056	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
1056	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
1056	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2908	dwm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Token: SeDebugPrivilege	2908	dwm.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2908	1056	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe	68
PID 1056 wrote to memory of 2908	1056	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe	68
PID 1056 wrote to memory of 2908	1056	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe	68

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
"C:\Users\Admin\AppData\Local\Temp\f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1056
- C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe
  "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Roaming\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Roaming\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Solitaire\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Solitaire\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Hearts\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Hearts\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\de-DE\sppsvc.exe

Filesize
2.7MB

MD5
974e955c30ae5c68c82af0fd2001c330

SHA1
f52e77c911f388ba9ec33a6f5c18450c440cfb52

SHA256
f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21

SHA512
298319af2faf835ee81496c950e45f9e4ea70dbc9d7406c854dfa1a12411c0be6503ee9e9fca179ad035df2698877a2ed6458a1ad096fdf088b555227a711653

Download Submit
C:\Program Files (x86)\Windows Mail\de-DE\sppsvc.exe

Filesize
2.7MB

MD5
30122942920ad4ff602278bae00c9ef7

SHA1
84b32328124eac89dff3a35ee0fa6f75a85339e4

SHA256
562f67dfc8025af9ba3646b98ec5d767bf6e231455b5400ba4e8ce490574a471

SHA512
ab94da178d7dd9b64b1685b15f5fea20232e5baf25a6090dec74ec06d8bddaddef1f92f80b1294c1a2a0c0ffb30964280f17da1ff0ce8e741728100f8c3cd92b

Download Submit
C:\Users\Admin\spoolsv.exe

Filesize
2.7MB

MD5
0fb3f203fe1ec76979e322e13fb3a8d1

SHA1
f9920f9af670be8fabeef21d7daf10f1716184dd

SHA256
56600522a5927a8638513b0c2fdbce929fa8a82092dea1178f27bff357d91ad5

SHA512
c252666c2ca57170bc24d07b5d7f3f99cfea49e0034917b8b0fbf34e0465b4e0e79ac944bb52aa4a5766f98d5532aced7868119db80ba7583c77f418a4b2e401

Download Submit
C:\Users\Default\OSPPSVC.exe

Filesize
2.7MB

MD5
61f08860b38f375324d4af6b02be4118

SHA1
ced231a8f34437def69ddca0d74376137d164d3c

SHA256
3700ce932f67efb2c6bbdacca6c5c7228cd7ce5061b580c2983fd4c38b3edf3c

SHA512
508f14618c3eb066379ee6af0062768961ed3d529ebe69dd1cdc96e6b95e37a17953ca2cb8030217403b1b935f4a06fc32a3e70f91a74a484ba729eecc9775eb

Download Submit
C:\Users\Default\csrss.exe

Filesize
2.7MB

MD5
d6737b0f4d58f21d3f5d1e6d2350a1ab

SHA1
f1f9e46f3e286a3387cfbd42d42211e73f1fd402

SHA256
90fbcb5364d38e3eae9582ff017df5506e8b31ecf40e4d299816ba869b5842c8

SHA512
fa98c37fbb052b83acbe05cce0b9277f0e87472074e8bf1753747fd2e514108ca828905f3f476c7d9c620c84fbab01b99d90b0f68afb5e59ed22eef84228d657

Download Submit
memory/1056-7-0x0000000000690000-0x00000000006A6000-memory.dmp

Filesize
88KB

Download
memory/1056-16-0x0000000000D90000-0x0000000000D9E000-memory.dmp

Filesize
56KB

Download
memory/1056-0-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

Filesize
4KB

Download
memory/1056-8-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/1056-9-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/1056-10-0x0000000000D30000-0x0000000000D86000-memory.dmp

Filesize
344KB

Download
memory/1056-11-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/1056-12-0x0000000000C20000-0x0000000000C32000-memory.dmp

Filesize
72KB

Download
memory/1056-13-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/1056-14-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/1056-15-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/1056-6-0x0000000000680000-0x0000000000690000-memory.dmp

Filesize
64KB

Download
memory/1056-17-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/1056-18-0x0000000000DB0000-0x0000000000DBA000-memory.dmp

Filesize
40KB

Download
memory/1056-19-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/1056-5-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1056-4-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1056-3-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/1056-2-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/1056-1-0x0000000001160000-0x0000000001414000-memory.dmp

Filesize
2.7MB

Download
memory/1056-188-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

Filesize
4KB

Download
memory/1056-196-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-195-0x0000000000D60000-0x0000000001014000-memory.dmp

Filesize
2.7MB

Download