dcrat | 7ddbec7fac00ec5624f45da5879ebfa97d95b21c7842cbaa1058daa46a47bd41

Analysis

max time kernel
46s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c45000d07293154a655ba52ffb7bab99.exe
Size

849KB
MD5

c45000d07293154a655ba52ffb7bab99
SHA1

4b4fbc2c00cf6c6c6fcea58074213c4f0606b80a
SHA256

f639fc426671cba387b08b8c14743bccfd9d13866982573a1ed2e150967c17ac
SHA512

2805351e0080a62061efb9bc7e3d953221df1180edfcf1142b59302a0afbcf3332a8855deaa9f147ebb11789a3cdbadf6073306000d03698537813bf579df674
SSDEEP

12288:I6NE5ig5Fttrh5PxjUm5SvDdLILaBFkjKuAMx6A5gtbGk84Ca04jtiPBgGKYTx:I6N297PxbsKtC5AHgk

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5772	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5676	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5320	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5812	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5272	4140	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	4140	schtasks.exe	88

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral10/memory/116-1-0x0000000000030000-0x000000000010A000-memory.dmp	dcrat
behavioral10/files/0x00080000000242c6-18.dat	dcrat
behavioral10/files/0x000c00000002431a-87.dat	dcrat
behavioral10/files/0x000a0000000242fc-156.dat	dcrat
behavioral10/files/0x0009000000024305-167.dat	dcrat
behavioral10/files/0x000700000002431f-178.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	c45000d07293154a655ba52ffb7bab99.exe

Executes dropped EXE 1 IoCs

pid	Process
3428	wininit.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\886983d96e3d3e	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files\Java\jre-1.8\bin\6ccacd8608530f	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\RCX848F.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\edge_BITS_4428_655744444\RCX8710.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\edge_BITS_4428_655744444\smss.exe	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\Registry.exe	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files\edge_BITS_4428_655744444\smss.exe	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files\edge_BITS_4428_655744444\69ddcba757bf72	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files\Windows Defender\ja-JP\ee2ad38f3d4382	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\RCX848E.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCX9546.tmp	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\66fc9ff0ee96c2	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX7DE1.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\RCX8005.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\edge_BITS_4428_655744444\RCX8711.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCX9545.tmp	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files\Java\jre-1.8\bin\Idle.exe	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files\Windows Defender\ja-JP\Registry.exe	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX7E01.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\RCX8074.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\Idle.exe	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe	c45000d07293154a655ba52ffb7bab99.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\sysmon.exe	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Windows\Tasks\121e5b5079f7c0	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Windows\GameBarPresenceWriter\TextInputHost.exe	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Windows\GameBarPresenceWriter\22eafd247d37c3	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Windows\Tasks\RCX8916.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Windows\Tasks\RCX8917.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\TextInputHost.exe	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Windows\Tasks\sysmon.exe	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCX9030.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCX909F.tmp	c45000d07293154a655ba52ffb7bab99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c45000d07293154a655ba52ffb7bab99.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2888	schtasks.exe
4508	schtasks.exe
4232	schtasks.exe
4584	schtasks.exe
4568	schtasks.exe
3356	schtasks.exe
4528	schtasks.exe
4688	schtasks.exe
4240	schtasks.exe
5676	schtasks.exe
2024	schtasks.exe
4964	schtasks.exe
2020	schtasks.exe
4780	schtasks.exe
4292	schtasks.exe
4888	schtasks.exe
4548	schtasks.exe
5812	schtasks.exe
1888	schtasks.exe
4556	schtasks.exe
4820	schtasks.exe
2408	schtasks.exe
4756	schtasks.exe
4788	schtasks.exe
4868	schtasks.exe
408	schtasks.exe
5272	schtasks.exe
4388	schtasks.exe
1904	schtasks.exe
4476	schtasks.exe
4652	schtasks.exe
2820	schtasks.exe
4932	schtasks.exe
4836	schtasks.exe
4852	schtasks.exe
3188	schtasks.exe
4264	schtasks.exe
5772	schtasks.exe
1852	schtasks.exe
5320	schtasks.exe
3112	schtasks.exe
4760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
116	c45000d07293154a655ba52ffb7bab99.exe
3428	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	c45000d07293154a655ba52ffb7bab99.exe
Token: SeDebugPrivilege	3428	wininit.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 3428	116	c45000d07293154a655ba52ffb7bab99.exe	135
PID 116 wrote to memory of 3428	116	c45000d07293154a655ba52ffb7bab99.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c45000d07293154a655ba52ffb7bab99.exe
"C:\Users\Admin\AppData\Local\Temp\c45000d07293154a655ba52ffb7bab99.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Public\AccountPictures\wininit.exe
  "C:\Users\Public\AccountPictures\wininit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\d25f591a00514bc9ba8441\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\bin\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\bin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\bin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4428_655744444\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4428_655744444\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4428_655744444\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Tasks\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c45000d07293154a655ba52ffb7bab99c" /sc MINUTE /mo 6 /tr "'C:\7e20f84d5244aba7145631d4073af8\c45000d07293154a655ba52ffb7bab99.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c45000d07293154a655ba52ffb7bab99" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\c45000d07293154a655ba52ffb7bab99.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c45000d07293154a655ba52ffb7bab99c" /sc MINUTE /mo 12 /tr "'C:\7e20f84d5244aba7145631d4073af8\c45000d07293154a655ba52ffb7bab99.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Windows\GameBarPresenceWriter\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Public\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\ja-JP\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\ja-JP\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c45000d07293154a655ba52ffb7bab99c" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\c45000d07293154a655ba52ffb7bab99.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c45000d07293154a655ba52ffb7bab99" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\c45000d07293154a655ba52ffb7bab99.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c45000d07293154a655ba52ffb7bab99c" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\c45000d07293154a655ba52ffb7bab99.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7e20f84d5244aba7145631d4073af8\c45000d07293154a655ba52ffb7bab99.exe

Filesize
849KB

MD5
b6bfe804ab9d0d373507d0007d4a0b0f

SHA1
a98e8a582966d18dff0bf5f7c399b82b5ca470b7

SHA256
1173195745d87acee2897512e92f7256cf5cef442486d738662e83a3a041e086

SHA512
9db0e723f5cddec1ce8436b1f35e96253da24b8494011372d3af8415f7e09a868e5768947642183069b19ce3d705bcb7740259fbd57aea990a7ab8ce19c6da2f

Download Submit
C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe

Filesize
849KB

MD5
90eb081a63a1ebfc2ad103fd081fc8ff

SHA1
8c045be4ecba6ef5f90a342c6096509c045e1fc5

SHA256
c90dd628013192fdfe9b2f9922388267d2aa8da11918cddecc1e4338c1b033f2

SHA512
7b0edbc33977ec9b674cbbcaee2c13ad45017b9402660234b64668d64cecadc9701ff85ed41316b5fb932025e499490faf2ce0416c7594b31c022ad8a529e32a

Download Submit
C:\Users\Public\AccountPictures\wininit.exe

Filesize
849KB

MD5
c45000d07293154a655ba52ffb7bab99

SHA1
4b4fbc2c00cf6c6c6fcea58074213c4f0606b80a

SHA256
f639fc426671cba387b08b8c14743bccfd9d13866982573a1ed2e150967c17ac

SHA512
2805351e0080a62061efb9bc7e3d953221df1180edfcf1142b59302a0afbcf3332a8855deaa9f147ebb11789a3cdbadf6073306000d03698537813bf579df674

Download Submit
C:\Users\Public\taskhostw.exe

Filesize
849KB

MD5
ad676ed77b73569f70392209ed147af3

SHA1
8218067a3307c14c6271abf8fd4e057fce6db30a

SHA256
5b4c475fc6ff7e38616a4c7925459c161e323724826098568c1a6b7f031ba8ea

SHA512
3b105ef4a80cdfb5bac4b2c4e965672a8cbe8bc4c7d42ce88bc94bc7df3bdc99c9bc0b9dd3a72ceb19785d56baf2f104ddbd5691b63ff5c3916494b18b5a8029

Download Submit
C:\Windows\GameBarPresenceWriter\TextInputHost.exe

Filesize
849KB

MD5
4a156ba392e913de882ef9ae4c749387

SHA1
b779acd73c053975a2967d45a52cec9c02e244f7

SHA256
b7815653f5e1bae72bd87a0f8e1a0a8859bcfdd40fcf13bac212a10f7b1d34c6

SHA512
a8b90bcf30f7aaf30ae16dc4c7b47bed8d85c9afee4963998e8d96f3c04de53d055fe8cfab8a4a5afa37edd19d6aa55177e265a733b8fbcbd571ca6331db15cf

Download Submit
memory/116-4-0x000000001B2E0000-0x000000001B330000-memory.dmp

Filesize
320KB

Download
memory/116-7-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/116-6-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/116-5-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/116-9-0x000000001AC20000-0x000000001AC2C000-memory.dmp

Filesize
48KB

Download
memory/116-8-0x000000001B290000-0x000000001B2A0000-memory.dmp

Filesize
64KB

Download
memory/116-0-0x00007FFBC7F83000-0x00007FFBC7F85000-memory.dmp

Filesize
8KB

Download
memory/116-3-0x00000000008D0000-0x00000000008EC000-memory.dmp

Filesize
112KB

Download
memory/116-2-0x00007FFBC7F80000-0x00007FFBC8A41000-memory.dmp

Filesize
10.8MB

Download
memory/116-1-0x0000000000030000-0x000000000010A000-memory.dmp

Filesize
872KB

Download
memory/116-181-0x00007FFBC7F83000-0x00007FFBC7F85000-memory.dmp

Filesize
8KB

Download
memory/116-204-0x00007FFBC7F80000-0x00007FFBC8A41000-memory.dmp

Filesize
10.8MB

Download
memory/116-265-0x00007FFBC7F80000-0x00007FFBC8A41000-memory.dmp

Filesize
10.8MB

Download