dcrat | 7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e.exe
Size

1.1MB
MD5

6e6f8bc0dbceec859f9baaff0ebe2811
SHA1

495b4434e34bbf6c432718ee6fac880f16be49a0
SHA256

7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e
SHA512

aab1bba5a4fc395f2d378bfc2bad098ce4efbeadacea47f650e16afd99373d518fd2cf9f8c30422cd34939d04d2e05ac9fc5ee8b48d6f5bc8f7cbb19d1bfeac7
SSDEEP

24576:U2G/nvxW3Ww0tkqV9bjWrJeQfBmAL6PLRr0UeJ:UbA30kqIJR/

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	2596	schtasks.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	2596	schtasks.exe	101

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000023265-10.dat	dcrat
behavioral1/memory/2864-12-0x00000000004C0000-0x0000000000596000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	agentDllDhcp.exe

Executes dropped EXE 2 IoCs

pid	Process
2864	agentDllDhcp.exe
1508	explorer.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\ea1d8f6d871115	agentDllDhcp.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\explorer.exe	agentDllDhcp.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\7a0fd90576e088	agentDllDhcp.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	agentDllDhcp.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\upfc.exe	agentDllDhcp.exe
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	agentDllDhcp.exe
File created	C:\Program Files\VideoLAN\VLC\lua\msedge.exe	agentDllDhcp.exe
File created	C:\Program Files\VideoLAN\VLC\lua\61a52ddc9dd915	agentDllDhcp.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\122.0.2365.52\Idle.exe	agentDllDhcp.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\122.0.2365.52\6ccacd8608530f	agentDllDhcp.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe	agentDllDhcp.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\22eafd247d37c3	agentDllDhcp.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\StartMenuExperienceHost.exe	agentDllDhcp.exe
File opened for modification	C:\Windows\ja-JP\StartMenuExperienceHost.exe	agentDllDhcp.exe
File created	C:\Windows\ja-JP\55b276f4edf653	agentDllDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2256	schtasks.exe
4108	schtasks.exe
4424	schtasks.exe
516	schtasks.exe
856	schtasks.exe
2860	schtasks.exe
532	schtasks.exe
1660	schtasks.exe
316	schtasks.exe
3372	schtasks.exe
1332	schtasks.exe
1492	schtasks.exe
3980	schtasks.exe
456	schtasks.exe
376	schtasks.exe
2412	schtasks.exe
3456	schtasks.exe
2964	schtasks.exe
2832	schtasks.exe
1268	schtasks.exe
4744	schtasks.exe
1996	schtasks.exe
1456	schtasks.exe
2060	schtasks.exe
1076	schtasks.exe
4784	schtasks.exe
4036	schtasks.exe
4196	schtasks.exe
4316	schtasks.exe
1436	schtasks.exe
4572	schtasks.exe
4484	schtasks.exe
5104	schtasks.exe
4372	schtasks.exe
1200	schtasks.exe
4364	schtasks.exe
5012	schtasks.exe
3444	schtasks.exe
1876	schtasks.exe
4392	schtasks.exe
3612	schtasks.exe
4452	schtasks.exe
408	schtasks.exe
4192	schtasks.exe
2096	schtasks.exe
572	schtasks.exe
2036	schtasks.exe
1988	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2864	agentDllDhcp.exe
2864	agentDllDhcp.exe
2864	agentDllDhcp.exe
2864	agentDllDhcp.exe
2864	agentDllDhcp.exe
2864	agentDllDhcp.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1508	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	agentDllDhcp.exe
Token: SeDebugPrivilege	1508	explorer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 3148	3444	7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e.exe	94
PID 3444 wrote to memory of 3148	3444	7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e.exe	94
PID 3444 wrote to memory of 3148	3444	7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e.exe	94
PID 3148 wrote to memory of 2528	3148	WScript.exe	97
PID 3148 wrote to memory of 2528	3148	WScript.exe	97
PID 3148 wrote to memory of 2528	3148	WScript.exe	97
PID 2528 wrote to memory of 2864	2528	cmd.exe	99
PID 2528 wrote to memory of 2864	2528	cmd.exe	99
PID 2864 wrote to memory of 1508	2864	agentDllDhcp.exe	152
PID 2864 wrote to memory of 1508	2864	agentDllDhcp.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e.exe
"C:\Users\Admin\AppData\Local\Temp\7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe
      "C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Program Files (x86)\Internet Explorer\de-DE\explorer.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\ja-JP\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\122.0.2365.52\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\122.0.2365.52\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\122.0.2365.52\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\BlockComponentwebMonitordhcp\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\BlockComponentwebMonitordhcp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Videos\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\odt\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\lua\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat

Filesize
50B

MD5
40763ae8cfc178ff43b09dbd8aeb8e24

SHA1
81c31ec6a3fb0ccb59bf4ef2e6653405cdc2534c

SHA256
7b94af95b84b86d3b7dedd796d45f4ece48521897bfbcda1049002ceb0f27f7c

SHA512
a63bc49760984ae681df2663fa0590660036bf4cddfdfa7f634bcd51147c8e94b7d973ef425716bdd58ccc812d44be6a0682636e6faab84f94756b5e97ecb359

Download Submit
C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe

Filesize
217B

MD5
1efe4b745c309f0d730c394a6d1bd25f

SHA1
8831671936036e79c4daa914d14455c8e2808081

SHA256
3dca4af9d3b59a3c498492bf9ddd94961df9f95d535836caa2b8ba710aa73f7e

SHA512
9c9a4292c96c6a727a7601831a6ec3f2c11968f898996c14c9bc7c1fb4ce66e9fffd2fabec13d9929ad220956263eecaf5c704833dd7f021a805a438f586ca39

Download Submit
C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe

Filesize
828KB

MD5
6b3e49b6d32aca957297d8c71e698737

SHA1
73294c085a65af8528ea636ee15132020ba38fe5

SHA256
fef594135e18a708750abad999febeba51d6efe9d6d3073f02a1acb12731eed8

SHA512
151ce51cbcce1ee4cb8b145b02124efc1cb93ef9320da60321cd179d8544930c7f2aa9af4cd4ddd0a71dc32ef5b0069fd8e6bb5e76359d3286d526ccf7e5510b

Download Submit
memory/1508-59-0x00007FFD75E60000-0x00007FFD76921000-memory.dmp

Filesize
10.8MB

Download
memory/1508-60-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/1508-61-0x00007FFD75E60000-0x00007FFD76921000-memory.dmp

Filesize
10.8MB

Download
memory/1508-62-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/2864-12-0x00000000004C0000-0x0000000000596000-memory.dmp

Filesize
856KB

Download
memory/2864-13-0x00007FFD75E60000-0x00007FFD76921000-memory.dmp

Filesize
10.8MB

Download
memory/2864-14-0x000000001B2A0000-0x000000001B2B0000-memory.dmp

Filesize
64KB

Download
memory/2864-58-0x00007FFD75E60000-0x00007FFD76921000-memory.dmp

Filesize
10.8MB

Download