dcrat | f4111d30be32600233ad61440ff2f9a6484f3ba6c04fae4b522fc09ab0de3831

Analysis

max time kernel
24s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
Size

3.3MB
MD5

74da02657baeecb247413687ca835103
SHA1

44f3e5bdc60e9d41d624a1de2154d804a53aa8be
SHA256

48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da
SHA512

c679fa77c3b8a83e6c8607d77f2ff575ce9903fe8836e850cf12b5c8756f6123411c413e79bc131a1723d6803785c33f24612a4bcedbbb73035d6ec6aa53add1
SSDEEP

49152:Ts51kZEsvhP4KUYTMb5C1JyWdLQqFxLCobXK45p4aE:Ts5eaKhgKUFCo2LP15s

Score

10^/10

dcrat defense_evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral22/memory/4720-1-0x0000000000FA0000-0x00000000012EE000-memory.dmp	dcrat
behavioral22/files/0x0007000000024286-45.dat	dcrat
behavioral22/files/0x0009000000024293-64.dat	dcrat
behavioral22/files/0x000d0000000240b2-75.dat	dcrat
behavioral22/memory/3764-196-0x0000000000A00000-0x0000000000D4E000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TextInputHost.exe

Executes dropped EXE 1 IoCs

pid	Process
3764	TextInputHost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\edge_BITS_4544_2096699802\RCX82E5.tmp	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX8991.tmp	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX89A2.tmp	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
File created	C:\Program Files\edge_BITS_4544_2096699802\lsass.exe	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
File created	C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
File created	C:\Program Files\Uninstall Information\55b276f4edf653	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
File opened for modification	C:\Program Files\edge_BITS_4544_2096699802\RCX82E4.tmp	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
File opened for modification	C:\Program Files\edge_BITS_4544_2096699802\lsass.exe	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
File opened for modification	C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
File created	C:\Program Files\edge_BITS_4544_2096699802\6203df4a6bafc7	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\system\Printer\de-DE\upfc.exe	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	TextInputHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5908	schtasks.exe
828	schtasks.exe
1556	schtasks.exe
2396	schtasks.exe
4784	schtasks.exe
4540	schtasks.exe
3304	schtasks.exe
3388	schtasks.exe
5300	schtasks.exe
2012	schtasks.exe
864	schtasks.exe
5800	schtasks.exe
5876	schtasks.exe
3664	schtasks.exe
3840	schtasks.exe
3656	schtasks.exe
6016	schtasks.exe
1876	schtasks.exe
1404	schtasks.exe
1988	schtasks.exe
1416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe
3764	TextInputHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
Token: SeDebugPrivilege	3764	TextInputHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 3764	4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe	112
PID 4720 wrote to memory of 3764	4720	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe	112
PID 3764 wrote to memory of 6020	3764	TextInputHost.exe	116
PID 3764 wrote to memory of 6020	3764	TextInputHost.exe	116
PID 3764 wrote to memory of 3932	3764	TextInputHost.exe	118
PID 3764 wrote to memory of 3932	3764	TextInputHost.exe	118

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe
"C:\Users\Admin\AppData\Local\Temp\48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4720
- C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe
  "C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3764
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acd732b0-2233-46bb-bb15-f151a6710260.vbs"
    3⤵
    PID:6020
  - - C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe
      C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe
      4⤵
      PID:1932
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a8e5fc4-ae5c-4d12-98d6-24f6a53fd0f1.vbs"
        5⤵
        
        PID:4688
      - C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe
        6⤵
        
        PID:4872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8bacf41-3a76-4eb7-bd06-a1d55863e10d.vbs"
        7⤵
        
        PID:4636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\420d4a61-a406-4c92-ae94-88a9ac4ab215.vbs"
        7⤵
        
        PID:1260
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7130a2b-4283-4b3a-94d6-29e6607227c7.vbs"
        5⤵
        
        PID:1648
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80bd5fed-575c-4ad2-b00b-6a7df67015ba.vbs"
    3⤵
    PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\34c553de294c1d56d0a800105b\upfc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\34c553de294c1d56d0a800105b\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4544_2096699802\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4544_2096699802\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4544_2096699802\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Links\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Links\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da4" /sc MINUTE /mo 14 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da4" /sc MINUTE /mo 14 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe

Filesize
3.3MB

MD5
182bc6a44b6a9b97529d5ffa1b88eb23

SHA1
b75657edda3ea5fd24d26c0d18a6bf8fc44f418f

SHA256
970c039c8976cb19e7407fac446f16a519c8b3907df15945fc6f5ecd1ff561ed

SHA512
7cc04e804a752b58455e9ed92d32530d06088e3060d971cec21622e3190950e3d21f88abd9d17deef8a7804fa8d4b89f6dccfa8457559e11558fbe761398951a

Download Submit
C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
3.3MB

MD5
d87e52b866a2874a7e3a407cb9caa988

SHA1
91db6e1a9ba89b421bff5647500cb7a90f1a373b

SHA256
f11bc4b3e18f313555922fa34754c66dd8ad0bde8327ee173f701d60a5e18ae6

SHA512
9b2e712038f9ab1a02bf48690eabec8decbba994fca6f8cbceb2ca3faf5ad7b77a81030a8a4b86d849a245039875c912c6b940baea23dbec5a7986aa6bc78ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a8e5fc4-ae5c-4d12-98d6-24f6a53fd0f1.vbs

Filesize
729B

MD5
0e985e411503dc6dbac07382af331389

SHA1
f8576a60e900d608d2d68b1b9db51bb23e1c0114

SHA256
fac1d1e36fa68b5fe75ea26a605879f689be0dae34abd833bbda520de8bfe276

SHA512
262dc12fbdb849a445b5437ce9af9d2420e5cf2cadc786560c9124fa284db1693550d7bceb0ebde692357190f000c4016884d97dfcd6ddd73bbda92939a64b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\80bd5fed-575c-4ad2-b00b-6a7df67015ba.vbs

Filesize
505B

MD5
3c0a6ea0adac27de57861ad58544d589

SHA1
68ddcffc817b80cbd944181f2677c0678125b164

SHA256
b7b0df43732b329f16074315d63b7656d08f650c1f65ef2de120981b2bce7a3c

SHA512
53ccc2422db973a2aab149770bfe8caf8e1c2d39b296784e095591a6d93af0550346f4d9bb3e7d2f11f3595cab61464db748e7244c7e56852a52bcd89ee70b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\acd732b0-2233-46bb-bb15-f151a6710260.vbs

Filesize
729B

MD5
8de62b7dd66c2fac5b3d28dea8f38246

SHA1
1ef2b09e5a91a0687b934f163160d60436135a1c

SHA256
2465ea5d2c74917ea7577c1432d65ab96406b57779a5f23df9e7b2cb84c947b1

SHA512
3fdd978135538dc913e66d43bc3e6c4f682263640d48742be45dcfe13d57925c69072e8dc7a402c5024567032aa6bce47305d9d4586687790bf05f9ecb8fcbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8bacf41-3a76-4eb7-bd06-a1d55863e10d.vbs

Filesize
729B

MD5
673241432a81043a4d043f3608be9e7f

SHA1
b56ce8fa2c138bc9b2a00fa9e7429bfa1a24c091

SHA256
40c04ada6675ea5e03e4a763e0bc95efd5792c2790b96e420ac21f837effdd12

SHA512
504f36189ab9810479464855d65f734732e679177d14428567736595771fe22b8b7fb6feff52f0d729a5f5dbb619bb4772a43b9bf839ac328b0afcbd605611dd

Download Submit
C:\Users\Default\Links\services.exe

Filesize
3.3MB

MD5
74da02657baeecb247413687ca835103

SHA1
44f3e5bdc60e9d41d624a1de2154d804a53aa8be

SHA256
48dd84f7a2cbfb0a068fa1a74c35fa4983f355dd026648bde3c594d0afe696da

SHA512
c679fa77c3b8a83e6c8607d77f2ff575ce9903fe8836e850cf12b5c8756f6123411c413e79bc131a1723d6803785c33f24612a4bcedbbb73035d6ec6aa53add1

Download Submit
memory/3764-198-0x000000001B9A0000-0x000000001B9B2000-memory.dmp

Filesize
72KB

Download
memory/3764-196-0x0000000000A00000-0x0000000000D4E000-memory.dmp

Filesize
3.3MB

Download
memory/4720-25-0x000000001C800000-0x000000001C80C000-memory.dmp

Filesize
48KB

Download
memory/4720-18-0x000000001C780000-0x000000001C788000-memory.dmp

Filesize
32KB

Download
memory/4720-35-0x000000001CBB0000-0x000000001CBBA000-memory.dmp

Filesize
40KB

Download
memory/4720-27-0x000000001C810000-0x000000001C81C000-memory.dmp

Filesize
48KB

Download
memory/4720-21-0x000000001C7C0000-0x000000001C7CC000-memory.dmp

Filesize
48KB

Download
memory/4720-19-0x000000001C790000-0x000000001C7A2000-memory.dmp

Filesize
72KB

Download
memory/4720-34-0x000000001CAA0000-0x000000001CAA8000-memory.dmp

Filesize
32KB

Download
memory/4720-33-0x000000001CA90000-0x000000001CA9C000-memory.dmp

Filesize
48KB

Download
memory/4720-32-0x000000001C860000-0x000000001C868000-memory.dmp

Filesize
32KB

Download
memory/4720-31-0x000000001C850000-0x000000001C85E000-memory.dmp

Filesize
56KB

Download
memory/4720-30-0x000000001C840000-0x000000001C848000-memory.dmp

Filesize
32KB

Download
memory/4720-29-0x000000001C830000-0x000000001C83E000-memory.dmp

Filesize
56KB

Download
memory/4720-28-0x000000001C820000-0x000000001C82A000-memory.dmp

Filesize
40KB

Download
memory/4720-26-0x000000001C870000-0x000000001C878000-memory.dmp

Filesize
32KB

Download
memory/4720-0-0x00007FFD2FE23000-0x00007FFD2FE25000-memory.dmp

Filesize
8KB

Download
memory/4720-24-0x000000001C7F0000-0x000000001C7FC000-memory.dmp

Filesize
48KB

Download
memory/4720-23-0x000000001C7E0000-0x000000001C7E8000-memory.dmp

Filesize
32KB

Download
memory/4720-22-0x000000001C7D0000-0x000000001C7DC000-memory.dmp

Filesize
48KB

Download
memory/4720-20-0x000000001CDC0000-0x000000001D2E8000-memory.dmp

Filesize
5.2MB

Download
memory/4720-36-0x000000001CAB0000-0x000000001CABC000-memory.dmp

Filesize
48KB

Download
memory/4720-17-0x000000001C880000-0x000000001C88C000-memory.dmp

Filesize
48KB

Download
memory/4720-16-0x000000001C770000-0x000000001C778000-memory.dmp

Filesize
32KB

Download
memory/4720-14-0x000000001C720000-0x000000001C776000-memory.dmp

Filesize
344KB

Download
memory/4720-12-0x000000001C710000-0x000000001C720000-memory.dmp

Filesize
64KB

Download
memory/4720-9-0x000000001C560000-0x000000001C576000-memory.dmp

Filesize
88KB

Download
memory/4720-8-0x000000001C550000-0x000000001C560000-memory.dmp

Filesize
64KB

Download
memory/4720-7-0x000000001C540000-0x000000001C548000-memory.dmp

Filesize
32KB

Download
memory/4720-6-0x000000001C590000-0x000000001C5E0000-memory.dmp

Filesize
320KB

Download
memory/4720-5-0x000000001C520000-0x000000001C53C000-memory.dmp

Filesize
112KB

Download
memory/4720-4-0x000000001C510000-0x000000001C518000-memory.dmp

Filesize
32KB

Download
memory/4720-197-0x00007FFD2FE20000-0x00007FFD308E1000-memory.dmp

Filesize
10.8MB

Download
memory/4720-15-0x000000001C700000-0x000000001C70C000-memory.dmp

Filesize
48KB

Download
memory/4720-13-0x000000001C6F0000-0x000000001C6FA000-memory.dmp

Filesize
40KB

Download
memory/4720-11-0x000000001C5E0000-0x000000001C5F2000-memory.dmp

Filesize
72KB

Download
memory/4720-10-0x000000001C580000-0x000000001C588000-memory.dmp

Filesize
32KB

Download
memory/4720-3-0x000000001BDF0000-0x000000001BDFE000-memory.dmp

Filesize
56KB

Download
memory/4720-2-0x00007FFD2FE20000-0x00007FFD308E1000-memory.dmp

Filesize
10.8MB

Download
memory/4720-1-0x0000000000FA0000-0x00000000012EE000-memory.dmp

Filesize
3.3MB

Download