dcrat | 0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3

Analysis

max time kernel
130s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
Size

1.3MB
MD5

1610d005e2af505e573a49eecd7dadb7
SHA1

a1ddc7111c710191d364cfba6943d8be87d4f454
SHA256

0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3
SHA512

5bd3f7ca3359e0fbe8e6b6d2ff9f007cdc2c19325c2bc24194814fe2d72fef32104d1739a6f37f4ca94a3779ee1715ec25f50e8c4dc8bac8e8397813b73feda8
SSDEEP

24576:xALTck+Rs8xdbtVhrETeQ35YaUccQEt5bSCi03FAx:xAnc1xQTeQ1ULi0

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3288	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3288	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3600-1-0x0000000000640000-0x0000000000790000-memory.dmp	dcrat
behavioral2/files/0x000700000002341c-17.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe

Executes dropped EXE 1 IoCs

pid	Process
5112	SppExtComObj.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Program Files (x86)\Google\Update\csrss.exe	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Program Files\Mozilla Firefox\fonts\csrss.exe	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Program Files\Mozilla Firefox\fonts\886983d96e3d3e	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Program Files (x86)\Google\Update\886983d96e3d3e	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\5940a34987c991	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\9e8d7a4ca61bd9	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Program Files\WindowsPowerShell\sppsvc.exe	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Program Files\WindowsPowerShell\0a1fd5f707cd16	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhostw.exe	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\ea9f0e6c9e2dcd	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Sun\Java\Deployment\6cb0b6c459d5d3	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Windows\appcompat\fontdrvhost.exe	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Windows\appcompat\5b884080fd4f94	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Windows\Setup\State\lsass.exe	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Windows\Setup\State\6203df4a6bafc7	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
File created	C:\Windows\Sun\Java\Deployment\dwm.exe	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4456	schtasks.exe
1992	schtasks.exe
4576	schtasks.exe
380	schtasks.exe
4404	schtasks.exe
2352	schtasks.exe
2940	schtasks.exe
624	schtasks.exe
1068	schtasks.exe
1300	schtasks.exe
2188	schtasks.exe
4896	schtasks.exe
416	schtasks.exe
3672	schtasks.exe
3648	schtasks.exe
5108	schtasks.exe
2000	schtasks.exe
1660	schtasks.exe
1736	schtasks.exe
4156	schtasks.exe
3464	schtasks.exe
2964	schtasks.exe
3092	schtasks.exe
3800	schtasks.exe
3224	schtasks.exe
4900	schtasks.exe
4440	schtasks.exe
3196	schtasks.exe
2276	schtasks.exe
4492	schtasks.exe
1600	schtasks.exe
4292	schtasks.exe
1780	schtasks.exe
1256	schtasks.exe
2108	schtasks.exe
2264	schtasks.exe
3036	schtasks.exe
236	schtasks.exe
5096	schtasks.exe
2988	schtasks.exe
4732	schtasks.exe
5100	schtasks.exe
3608	schtasks.exe
464	schtasks.exe
5028	schtasks.exe
4304	schtasks.exe
3124	schtasks.exe
2008	schtasks.exe
1028	schtasks.exe
3132	schtasks.exe
1408	schtasks.exe
4596	schtasks.exe
3044	schtasks.exe
3920	schtasks.exe
4144	schtasks.exe
4196	schtasks.exe
1524	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
5112	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
Token: SeDebugPrivilege	5112	SppExtComObj.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 2152	3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe	142
PID 3600 wrote to memory of 2152	3600	0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe	142
PID 2152 wrote to memory of 2576	2152	cmd.exe	144
PID 2152 wrote to memory of 2576	2152	cmd.exe	144
PID 2152 wrote to memory of 5112	2152	cmd.exe	148
PID 2152 wrote to memory of 5112	2152	cmd.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe
"C:\Users\Admin\AppData\Local\Temp\0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O622WhSeJ4.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2576
- - C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SppExtComObj.exe
    "C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SppExtComObj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\reports\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\Crashpad\reports\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\ssh\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\ssh\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\appcompat\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Setup\State\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Links\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Links\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Sun\Java\Deployment\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Sun\Java\Deployment\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhostw.exe

Filesize
1.3MB

MD5
1610d005e2af505e573a49eecd7dadb7

SHA1
a1ddc7111c710191d364cfba6943d8be87d4f454

SHA256
0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3

SHA512
5bd3f7ca3359e0fbe8e6b6d2ff9f007cdc2c19325c2bc24194814fe2d72fef32104d1739a6f37f4ca94a3779ee1715ec25f50e8c4dc8bac8e8397813b73feda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\O622WhSeJ4.bat

Filesize
239B

MD5
d935e46d9effb0a09af41eabd12f025e

SHA1
6ef0cab43175ada2093a36e95fe4d8a4267f5158

SHA256
f73dcb84254a1e1a5a86a3dd96748e3c5d54660cf93ee560c7141c0103e36a36

SHA512
65c93db985bb1f477bda969ef46eb4ad1c0d105393940e1fdde9816e07e3ad9c994311c0b611a51bc22a4871502383cefeff59f080051486f0437aaaa5b83f98

Download Submit
memory/3600-3-0x00000000010F0000-0x000000000110C000-memory.dmp

Filesize
112KB

Download
memory/3600-0-0x00007FF9F65B3000-0x00007FF9F65B5000-memory.dmp

Filesize
8KB

Download
memory/3600-6-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download
memory/3600-5-0x0000000001110000-0x0000000001126000-memory.dmp

Filesize
88KB

Download
memory/3600-4-0x0000000002A20000-0x0000000002A70000-memory.dmp

Filesize
320KB

Download
memory/3600-7-0x000000001C190000-0x000000001C6B8000-memory.dmp

Filesize
5.2MB

Download
memory/3600-8-0x0000000001160000-0x000000000116E000-memory.dmp

Filesize
56KB

Download
memory/3600-2-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp

Filesize
10.8MB

Download
memory/3600-1-0x0000000000640000-0x0000000000790000-memory.dmp

Filesize
1.3MB

Download
memory/3600-53-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp

Filesize
10.8MB

Download
memory/5112-57-0x00000000015D0000-0x00000000015E2000-memory.dmp

Filesize
72KB

Download