dcrat | 3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 10:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe
Size

1.1MB
MD5

1f9c3cddc1c0c5f3411caa896e02350a
SHA1

5c7e7074e9ee1b446890deb4eda500d5be074092
SHA256

3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75
SHA512

8cd0bd635431b23d7f29fa274d0d2bef1da0c94cbf5b927c34d12a67d1a19b7ead6b46257e1bb8d1880e72965ee7b068c1d059bb317fcaa3917c71993efb9bb9
SSDEEP

24576:U2G/nvxW3Ww0trmGK9uhJ4bNJYrvyunNnLskPF:UbA30CGK9ve9n

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	4612	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4612	schtasks.exe	93

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023424-10.dat	dcrat
behavioral2/memory/3880-13-0x0000000000FB0000-0x0000000001086000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	chaindhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
3880	chaindhcp.exe
4092	sysmon.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\swidtag\9e8d7a4ca61bd9	chaindhcp.exe
File created	C:\Program Files (x86)\Windows Mail\886983d96e3d3e	chaindhcp.exe
File created	C:\Program Files\Windows Portable Devices\ea9f0e6c9e2dcd	chaindhcp.exe
File created	C:\Program Files (x86)\Windows Mail\conhost.exe	chaindhcp.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\088424020bedd6	chaindhcp.exe
File created	C:\Program Files\Windows NT\Accessories\smss.exe	chaindhcp.exe
File created	C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe	chaindhcp.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\conhost.exe	chaindhcp.exe
File created	C:\Program Files\dotnet\swidtag\RuntimeBroker.exe	chaindhcp.exe
File created	C:\Program Files (x86)\Microsoft.NET\winlogon.exe	chaindhcp.exe
File created	C:\Program Files (x86)\Microsoft.NET\cc11b995f2a76d	chaindhcp.exe
File created	C:\Program Files (x86)\Windows Mail\csrss.exe	chaindhcp.exe
File created	C:\Program Files (x86)\Windows Mail\088424020bedd6	chaindhcp.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\winlogon.exe	chaindhcp.exe
File created	C:\Program Files\Windows NT\Accessories\69ddcba757bf72	chaindhcp.exe
File created	C:\Program Files\Windows Portable Devices\taskhostw.exe	chaindhcp.exe
File created	C:\Program Files (x86)\Microsoft\Temp\9e8d7a4ca61bd9	chaindhcp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\LanguageOverlayCache\sihost.exe	chaindhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4332	schtasks.exe
2844	schtasks.exe
3644	schtasks.exe
2412	schtasks.exe
4124	schtasks.exe
1208	schtasks.exe
2904	schtasks.exe
3840	schtasks.exe
4772	schtasks.exe
3120	schtasks.exe
4324	schtasks.exe
1724	schtasks.exe
4736	schtasks.exe
4000	schtasks.exe
3992	schtasks.exe
2364	schtasks.exe
4488	schtasks.exe
4652	schtasks.exe
3604	schtasks.exe
4060	schtasks.exe
456	schtasks.exe
4556	schtasks.exe
2076	schtasks.exe
760	schtasks.exe
4380	schtasks.exe
4860	schtasks.exe
640	schtasks.exe
2260	schtasks.exe
416	schtasks.exe
3912	schtasks.exe
1640	schtasks.exe
2236	schtasks.exe
4568	schtasks.exe
4024	schtasks.exe
2912	schtasks.exe
32	schtasks.exe
4900	schtasks.exe
680	schtasks.exe
5016	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3880	chaindhcp.exe
3880	chaindhcp.exe
3880	chaindhcp.exe
3880	chaindhcp.exe
3880	chaindhcp.exe
3880	chaindhcp.exe
3880	chaindhcp.exe
3880	chaindhcp.exe
3880	chaindhcp.exe
3880	chaindhcp.exe
3880	chaindhcp.exe
4092	sysmon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3880	chaindhcp.exe
Token: SeDebugPrivilege	4092	sysmon.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1368	2844	3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe	83
PID 2844 wrote to memory of 1368	2844	3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe	83
PID 2844 wrote to memory of 1368	2844	3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe	83
PID 1368 wrote to memory of 4400	1368	WScript.exe	94
PID 1368 wrote to memory of 4400	1368	WScript.exe	94
PID 1368 wrote to memory of 4400	1368	WScript.exe	94
PID 4400 wrote to memory of 3880	4400	cmd.exe	96
PID 4400 wrote to memory of 3880	4400	cmd.exe	96
PID 3880 wrote to memory of 4092	3880	chaindhcp.exe	137
PID 3880 wrote to memory of 4092	3880	chaindhcp.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe
"C:\Users\Admin\AppData\Local\Temp\3ce1f92e5a13d2d381d630bd5a5b258f7838147f1f88d679a98a40030976aa75.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BlockagentServernetcommon\dWMX88gCACXoKvtETHr5LRHJRP.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BlockagentServernetcommon\iMMFNCJn73wO9QJjxuedDCGIZ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\BlockagentServernetcommon\chaindhcp.exe
      "C:\BlockagentServernetcommon\chaindhcp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3880
    - - C:\Recovery\WindowsRE\sysmon.exe
        
        "C:\Recovery\WindowsRE\sysmon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\BlockagentServernetcommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\BlockagentServernetcommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\BlockagentServernetcommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\BlockagentServernetcommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\BlockagentServernetcommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\BlockagentServernetcommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk-1.8\legal\jdk\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\legal\jdk\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk-1.8\legal\jdk\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockagentServernetcommon\chaindhcp.exe

Filesize
828KB

MD5
64bce0f72bd60afa24806c4e8184ba5d

SHA1
633df6157e70b70a4606e3f9f63fdc9db17dba14

SHA256
ce9beff66fd8ae2b916b2490e5c8da04c4316f98de24304c56417ea0bfd28451

SHA512
efeb232f08d86465cf88d2050e3e52818b877621d29b9bb1eab8f44238ef02b7495bb11910ed1709b8058d104269e05d0e31557f4bbe1afc0ba0bf3baf8f5191

Download Submit
C:\BlockagentServernetcommon\dWMX88gCACXoKvtETHr5LRHJRP.vbe

Filesize
227B

MD5
d40a0d6875e6223f9e5c4c9613c975b4

SHA1
c605b32b588597dce9916053944eccef138d3b6e

SHA256
2304bdc77b852533e29614bd26e244c64fee9c2e9c5ea2a8c4e4579fd8ade547

SHA512
2e2570f2d0af1fde57fd7ef1812981e75daed6a906f2a359e89713dabf2df204b4788c76adcdaca8bb9f3046a3ee9cf5731bc84105ce82af17953c7f7197ff78

Download Submit
C:\BlockagentServernetcommon\iMMFNCJn73wO9QJjxuedDCGIZ.bat

Filesize
44B

MD5
eb6b7f7bea1252f5f5bfcc2c9e0164e5

SHA1
ec7bfe67793b4b3f4842334e9476a5e9a2f95688

SHA256
31f24dac6e2778c338307d6ccdf2e7e8b8626266bfef12af006b20b4a27c05af

SHA512
02807c217a7e93cdfd7cb60c0bf9110ef7585b0d1843599bc3c4537481ebfe942f3f41b9b71c4aa26b2f4ef5619338d81f0474a387c859942e5814d49f8f3939

Download Submit
memory/3880-12-0x00007FFE96CF3000-0x00007FFE96CF5000-memory.dmp

Filesize
8KB

Download
memory/3880-13-0x0000000000FB0000-0x0000000001086000-memory.dmp

Filesize
856KB

Download