dcrat | 6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0

Analysis

max time kernel
95s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
Size

2.9MB
MD5

31e7e6d6c1d606c6d6b33d32724885e5
SHA1

400a1f509d4b22ff8849a3fcb1a990f3fab15950
SHA256

6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0
SHA512

b82cbae4484e26e31345c5a1a321b86bfb69f57e21198ae292851964ea5b8024e844955f74a2250aa36784dcf15e7ee3b0f10a37b1eaeee33ffe0b86d9cac9d4
SSDEEP

49152:vD9sH0CMRmyW/15LcxvoV5FgyG3sF1XIFRTGJi2pHXr1IjmTyDrJDax8Yk:vD9sUCMXwwvCFA3sFZqRti3r1IjmuDt8

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2896	schtasks.exe	83

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2404-1-0x0000000000710000-0x0000000000A00000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ca5-34.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe

Executes dropped EXE 1 IoCs

pid	Process
1276	RuntimeBroker.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Crashpad\reports\smss.exe	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files\Windows Defender\fr-FR\RuntimeBroker.exe	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files (x86)\Windows Mail\ea9f0e6c9e2dcd	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files\Crashpad\reports\69ddcba757bf72	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files\Java\jre-1.8\lib\SearchApp.exe	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\spoolsv.exe	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files (x86)\Windows Mail\taskhostw.exe	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\e292db2a6c9159	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files\7-Zip\Lang\winlogon.exe	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files\7-Zip\Lang\cc11b995f2a76d	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\886983d96e3d3e	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files\Windows Defender\fr-FR\9e8d7a4ca61bd9	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files\Java\jre-1.8\lib\38384e6a620884	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\csrss.exe	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\7a0fd90576e088	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\addins\56085415360792	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Windows\twain_32\winlogon.exe	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Windows\twain_32\cc11b995f2a76d	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Windows\OCR\en-us\StartMenuExperienceHost.exe	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
File created	C:\Windows\addins\wininit.exe	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4632	schtasks.exe
3672	schtasks.exe
2428	schtasks.exe
4132	schtasks.exe
2916	schtasks.exe
964	schtasks.exe
1604	schtasks.exe
4008	schtasks.exe
1312	schtasks.exe
4012	schtasks.exe
1904	schtasks.exe
4232	schtasks.exe
5108	schtasks.exe
8	schtasks.exe
4440	schtasks.exe
3700	schtasks.exe
1880	schtasks.exe
3940	schtasks.exe
2168	schtasks.exe
2620	schtasks.exe
3636	schtasks.exe
760	schtasks.exe
2852	schtasks.exe
2152	schtasks.exe
3128	schtasks.exe
2552	schtasks.exe
1304	schtasks.exe
4996	schtasks.exe
2516	schtasks.exe
3964	schtasks.exe
3640	schtasks.exe
4588	schtasks.exe
1660	schtasks.exe
2536	schtasks.exe
3648	schtasks.exe
2288	schtasks.exe
216	schtasks.exe
1148	schtasks.exe
2760	schtasks.exe
3624	schtasks.exe
2756	schtasks.exe
4404	schtasks.exe
2728	schtasks.exe
4564	schtasks.exe
2872	schtasks.exe
2492	schtasks.exe
4108	schtasks.exe
2044	schtasks.exe
3988	schtasks.exe
4320	schtasks.exe
3504	schtasks.exe
2608	schtasks.exe
1836	schtasks.exe
2412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe
1276	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
Token: SeDebugPrivilege	1276	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1276	2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe	138
PID 2404 wrote to memory of 1276	2404	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe	138

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe
"C:\Users\Admin\AppData\Local\Temp\6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2404
- C:\Recovery\WindowsRE\RuntimeBroker.exe
  "C:\Recovery\WindowsRE\RuntimeBroker.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\reports\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\reports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc06" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\en-US\6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc06" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\en-US\6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\fr-FR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\lib\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\lib\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\twain_32\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Desktop\winlogon.exe

Filesize
2.9MB

MD5
31e7e6d6c1d606c6d6b33d32724885e5

SHA1
400a1f509d4b22ff8849a3fcb1a990f3fab15950

SHA256
6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0

SHA512
b82cbae4484e26e31345c5a1a321b86bfb69f57e21198ae292851964ea5b8024e844955f74a2250aa36784dcf15e7ee3b0f10a37b1eaeee33ffe0b86d9cac9d4

Download Submit
memory/2404-14-0x000000001BE10000-0x000000001BE18000-memory.dmp

Filesize
32KB

Download
memory/2404-73-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/2404-13-0x000000001BE30000-0x000000001BE3C000-memory.dmp

Filesize
48KB

Download
memory/2404-4-0x0000000002B40000-0x0000000002B4E000-memory.dmp

Filesize
56KB

Download
memory/2404-5-0x0000000002B50000-0x0000000002B58000-memory.dmp

Filesize
32KB

Download
memory/2404-6-0x000000001BC50000-0x000000001BC6C000-memory.dmp

Filesize
112KB

Download
memory/2404-7-0x000000001BCC0000-0x000000001BD10000-memory.dmp

Filesize
320KB

Download
memory/2404-11-0x000000001BCA0000-0x000000001BCA8000-memory.dmp

Filesize
32KB

Download
memory/2404-10-0x000000001BC80000-0x000000001BC96000-memory.dmp

Filesize
88KB

Download
memory/2404-9-0x000000001BC70000-0x000000001BC80000-memory.dmp

Filesize
64KB

Download
memory/2404-8-0x0000000002B60000-0x0000000002B68000-memory.dmp

Filesize
32KB

Download
memory/2404-12-0x000000001BCB0000-0x000000001BCC2000-memory.dmp

Filesize
72KB

Download
memory/2404-3-0x0000000002B30000-0x0000000002B3E000-memory.dmp

Filesize
56KB

Download
memory/2404-2-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/2404-21-0x000000001BED0000-0x000000001BED8000-memory.dmp

Filesize
32KB

Download
memory/2404-16-0x000000001BE40000-0x000000001BE4A000-memory.dmp

Filesize
40KB

Download
memory/2404-17-0x000000001BE50000-0x000000001BEA6000-memory.dmp

Filesize
344KB

Download
memory/2404-18-0x000000001BEA0000-0x000000001BEAC000-memory.dmp

Filesize
48KB

Download
memory/2404-19-0x000000001BEB0000-0x000000001BEB8000-memory.dmp

Filesize
32KB

Download
memory/2404-20-0x000000001BEC0000-0x000000001BECC000-memory.dmp

Filesize
48KB

Download
memory/2404-22-0x000000001BEE0000-0x000000001BEF2000-memory.dmp

Filesize
72KB

Download
memory/2404-15-0x000000001BE20000-0x000000001BE30000-memory.dmp

Filesize
64KB

Download
memory/2404-23-0x000000001C440000-0x000000001C968000-memory.dmp

Filesize
5.2MB

Download
memory/2404-24-0x000000001BF10000-0x000000001BF1C000-memory.dmp

Filesize
48KB

Download
memory/2404-25-0x000000001C1A0000-0x000000001C1AC000-memory.dmp

Filesize
48KB

Download
memory/2404-1-0x0000000000710000-0x0000000000A00000-memory.dmp

Filesize
2.9MB

Download
memory/2404-0-0x00007FFFC1E73000-0x00007FFFC1E75000-memory.dmp

Filesize
8KB

Download