dcrat | 524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Size

2.7MB
MD5

0f9e8c0ca92989e50a62c5ea1e47eb74
SHA1

6076489eb7df53fe1116b3dfd0ff5d87cdfeb3d6
SHA256

524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611
SHA512

8819dc1e48e2343d29ee0420a598ee4e062a19b36190af80a204f08a28cde1e3cbe097d438566d1b12cf3d37f1afb889060fb9b141840de1d005be5087302970
SSDEEP

49152:yqyJUSQelMhlk1w19BlUobhENGZXxRWi0UAuqYqqnc:PyJlQgGk1wPko1oO30UA7Yqq

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	3224	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	3224	schtasks.exe	85

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/224-1-0x0000000000110000-0x00000000003C4000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b61-30.dat	dcrat
behavioral2/files/0x000c000000023b61-152.dat	dcrat
behavioral2/files/0x000b000000023b71-186.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

Executes dropped EXE 1 IoCs

pid	Process
2616	explorer.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\Sysprep\System.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Windows\System32\Sysprep\27d1bcfc3c54e0	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Windows\System32\Sysprep\RCX7E00.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Windows\System32\Sysprep\RCX7E01.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Windows\System32\Sysprep\System.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\TextInputHost.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\7a0fd90576e088	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX6F20.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\csrss.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\sihost.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX6A78.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX6A88.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\66fc9ff0ee96c2	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\RCX6854.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\explorer.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\lsass.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\RCX73B8.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\Internet Explorer\22eafd247d37c3	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\lsass.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\RCX6843.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX6F1F.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\RCX73B7.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\RCX793A.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RCX8325.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\886983d96e3d3e	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\6203df4a6bafc7	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files\Windows Defender\es-ES\explorer.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files\Windows Defender\es-ES\7a0fd90576e088	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\csrss.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\TextInputHost.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\RCX78BC.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\sihost.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RCX8326.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Setup\State\7a0fd90576e088	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Windows\Prefetch\cc11b995f2a76d	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Windows\Setup\State\explorer.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Windows\Prefetch\RCX8083.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Windows\Prefetch\RCX80F1.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Windows\Prefetch\winlogon.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Windows\Setup\State\explorer.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Windows\Prefetch\winlogon.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Windows\Setup\State\RCX763A.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Windows\Setup\State\RCX763B.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4756	schtasks.exe
4708	schtasks.exe
2740	schtasks.exe
4060	schtasks.exe
4452	schtasks.exe
1284	schtasks.exe
2268	schtasks.exe
764	schtasks.exe
1288	schtasks.exe
2216	schtasks.exe
4084	schtasks.exe
2984	schtasks.exe
2844	schtasks.exe
3572	schtasks.exe
4336	schtasks.exe
3636	schtasks.exe
840	schtasks.exe
1116	schtasks.exe
2744	schtasks.exe
3940	schtasks.exe
1636	schtasks.exe
804	schtasks.exe
2872	schtasks.exe
3912	schtasks.exe
1008	schtasks.exe
2924	schtasks.exe
636	schtasks.exe
1472	schtasks.exe
2820	schtasks.exe
4568	schtasks.exe
4720	schtasks.exe
5112	schtasks.exe
1420	schtasks.exe
2724	schtasks.exe
2024	schtasks.exe
4868	schtasks.exe
4356	schtasks.exe
1336	schtasks.exe
3988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
224	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
224	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
224	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
224	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
224	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
224	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
224	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
2616	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	224	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Token: SeDebugPrivilege	2616	explorer.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 2616	224	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe	125
PID 224 wrote to memory of 2616	224	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe	125

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
"C:\Users\Admin\AppData\Local\Temp\524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:224
- C:\Program Files\Windows Defender\es-ES\explorer.exe
  "C:\Program Files\Windows Defender\es-ES\explorer.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d37206115" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d37206115" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\plugins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\plugins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Setup\State\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\Sysprep\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\System32\Sysprep\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\Sysprep\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Prefetch\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\sihost.exe

Filesize
2.7MB

MD5
63f307b338e15bb46522340912c6e153

SHA1
efbaa3f7984ad3f061c0430674ac31958ac730d0

SHA256
531caa419d03c1450f122a99cb80d89252abc79357323054364b2e9848b09cfc

SHA512
ec4abc0c5749a9710e95b13a51ff6860539737d01406c1fe21d365921d68e7ec122dd0bdad33d0b634f257fe52dfa2711cc56495a798fb0e08bbdea73540dd90

Download Submit
C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe

Filesize
2.7MB

MD5
0f9e8c0ca92989e50a62c5ea1e47eb74

SHA1
6076489eb7df53fe1116b3dfd0ff5d87cdfeb3d6

SHA256
524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611

SHA512
8819dc1e48e2343d29ee0420a598ee4e062a19b36190af80a204f08a28cde1e3cbe097d438566d1b12cf3d37f1afb889060fb9b141840de1d005be5087302970

Download Submit
C:\Windows\Prefetch\winlogon.exe

Filesize
2.7MB

MD5
58ca9bfa82b72044788d3321062e3d07

SHA1
6cea596448383cb6c1909f8530fa71cc494615ae

SHA256
d5f95e3c261028a3d0f9b462463406060db3e1bc1d6363d95b5fc02e8e727877

SHA512
f6e2dee659594f6728979b9573d1ea4094aa14bd2cdfd2ef08e067bd697e6a5dcb76bf95f49c9c0546aadbf5ec39d5fa2194334ee7881a1ea56559feed71c971

Download Submit
memory/224-16-0x000000001B760000-0x000000001B768000-memory.dmp

Filesize
32KB

Download
memory/224-17-0x000000001B770000-0x000000001B77C000-memory.dmp

Filesize
48KB

Download
memory/224-5-0x000000001B680000-0x000000001B6D0000-memory.dmp

Filesize
320KB

Download
memory/224-7-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/224-6-0x00000000024B0000-0x00000000024B8000-memory.dmp

Filesize
32KB

Download
memory/224-9-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/224-10-0x0000000002670000-0x000000000267A000-memory.dmp

Filesize
40KB

Download
memory/224-8-0x0000000002640000-0x0000000002656000-memory.dmp

Filesize
88KB

Download
memory/224-11-0x000000001B6D0000-0x000000001B726000-memory.dmp

Filesize
344KB

Download
memory/224-12-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/224-13-0x000000001B720000-0x000000001B732000-memory.dmp

Filesize
72KB

Download
memory/224-0-0x00007FFF4B663000-0x00007FFF4B665000-memory.dmp

Filesize
8KB

Download
memory/224-14-0x000000001BC80000-0x000000001C1A8000-memory.dmp

Filesize
5.2MB

Download
memory/224-4-0x0000000002610000-0x000000000262C000-memory.dmp

Filesize
112KB

Download
memory/224-15-0x000000001B750000-0x000000001B758000-memory.dmp

Filesize
32KB

Download
memory/224-19-0x000000001B790000-0x000000001B79C000-memory.dmp

Filesize
48KB

Download
memory/224-18-0x000000001B780000-0x000000001B78E000-memory.dmp

Filesize
56KB

Download
memory/224-21-0x000000001B7B0000-0x000000001B7BC000-memory.dmp

Filesize
48KB

Download
memory/224-20-0x000000001B7A0000-0x000000001B7AA000-memory.dmp

Filesize
40KB

Download
memory/224-3-0x00000000024A0000-0x00000000024AE000-memory.dmp

Filesize
56KB

Download
memory/224-2-0x00007FFF4B660000-0x00007FFF4C121000-memory.dmp

Filesize
10.8MB

Download
memory/224-166-0x00007FFF4B663000-0x00007FFF4B665000-memory.dmp

Filesize
8KB

Download
memory/224-1-0x0000000000110000-0x00000000003C4000-memory.dmp

Filesize
2.7MB

Download
memory/224-189-0x00007FFF4B660000-0x00007FFF4C121000-memory.dmp

Filesize
10.8MB

Download
memory/224-261-0x00007FFF4B660000-0x00007FFF4C121000-memory.dmp

Filesize
10.8MB

Download