Malware Analysis Report

2024-10-10 13:00

Sample ID 240619-t2s19atdjb
Target Desktop.exe
SHA256 eb02a5967a610b6c1f6c4070426bfae82286404b0c12120c4538f6616046ac82
Tags
dcrat infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb02a5967a610b6c1f6c4070426bfae82286404b0c12120c4538f6616046ac82

Threat Level: Known bad

The file Desktop.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat spyware stealer

DcRat

Process spawned unexpected child process

Modifies WinLogon for persistence

DCRat payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 16:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 16:33

Reported

2024-06-19 16:38

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Users\\Default\\Links\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\lsm.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\blockComagentCommon\\dwm.exe\", \"C:\\Users\\Default\\cmd.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\", \"C:\\Windows\\Panther\\UnattendGC\\taskhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Users\\Default\\Links\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\lsm.exe\", \"C:\\blockComagentCommon\\audiodg.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Users\\Default\\Links\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\lsm.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\blockComagentCommon\\dwm.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Users\\Default\\Links\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\lsm.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Users\\Default\\Links\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\lsm.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\blockComagentCommon\\dwm.exe\", \"C:\\Users\\Default\\cmd.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Users\\Default\\Links\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Users\\Default\\Links\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Users\\Default\\Links\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Users\\Default\\Links\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\lsm.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\blockComagentCommon\\dwm.exe\", \"C:\\Users\\Default\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Users\\Default\\Links\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\lsm.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\blockComagentCommon\\dwm.exe\", \"C:\\Users\\Default\\cmd.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\", \"C:\\Windows\\Panther\\UnattendGC\\taskhost.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\sppsvc.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Users\\Default\\Links\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\lsm.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\blockComagentCommon\\dwm.exe\", \"C:\\Users\\Default\\cmd.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\", \"C:\\Windows\\Panther\\UnattendGC\\taskhost.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\sppsvc.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\smss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\", \"C:\\blockComagentCommon\\audiodg.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\Users\Default\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\Panther\\UnattendGC\\taskhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\SoftwareDistribution\\ScanFile\\sppsvc.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\smss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\lsm.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Default\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\lsm.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\blockComagentCommon\\dwm.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\SoftwareDistribution\\ScanFile\\sppsvc.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\smss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\blockComagentCommon\\audiodg.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Default\\Links\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Default\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\PCHEALTH\\ERRORREP\\QSIGNOFF\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\blockComagentCommon\\dwm.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sppsvc.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Mail\\fr-FR\\System.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\Idle.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\blockComagentCommon\\audiodg.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Default\\Links\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\Panther\\UnattendGC\\taskhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Mail\fr-FR\System.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Windows Mail\fr-FR\27d1bcfc3c54e0 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\6ccacd8608530f C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\088424020bedd6 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\101b941d020240 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files (x86)\Internet Explorer\it-IT\services.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\Idle.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files (x86)\Internet Explorer\it-IT\c5b4cb5e9653cc C:\blockComagentCommon\bridgehypercom.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\cc11b995f2a76d C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\Panther\UnattendGC\taskhost.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\Panther\UnattendGC\b75386f1303e64 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\SoftwareDistribution\ScanFile\sppsvc.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\SoftwareDistribution\ScanFile\0a1fd5f707cd16 C:\blockComagentCommon\bridgehypercom.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\Users\Default\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\blockComagentCommon\bridgehypercom.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 848 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 848 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 848 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 1724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 1724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 1724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 1724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 2928 wrote to memory of 804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 804 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 804 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 804 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 2488 wrote to memory of 2564 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Users\Default\cmd.exe
PID 2488 wrote to memory of 2564 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Users\Default\cmd.exe
PID 2488 wrote to memory of 2564 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Users\Default\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Desktop.exe

"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"

C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe

"C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\blockComagentCommon\XXy2W.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\blockComagentCommon\0xQrS65tkQIWur3PmtNOw.bat" "

C:\blockComagentCommon\bridgehypercom.exe

"C:\blockComagentCommon\bridgehypercom.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\fr-FR\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\fr-FR\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\blockComagentCommon\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\blockComagentCommon\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\blockComagentCommon\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Links\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\Sample Videos\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\Sample Videos\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\blockComagentCommon\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\blockComagentCommon\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\blockComagentCommon\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\blockComagentCommon\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\blockComagentCommon\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\blockComagentCommon\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\UnattendGC\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\UnattendGC\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\ScanFile\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\ScanFile\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\smss.exe'" /rl HIGHEST /f

C:\Users\Default\cmd.exe

"C:\Users\Default\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0997784.xsph.ru udp
US 8.8.8.8:53 a0997784.xsph.ru udp

Files

\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe

MD5 64ed6494574d0ba822e98074dabda896
SHA1 6e845b1a861ca646e3313376bf87c429f84a991e
SHA256 18fdd096e9679a79cd0bd34094861950354f8e26d890458ecc944aab966c2473
SHA512 5f67126746c522e2d73dccf194aa04eb3a5a896a9e7ea69cfe263dc8eaf05c5685353b02c06b7609456bc81ce580b8eaa16b4393632f74fbe93b1afae66928b9

memory/848-8-0x0000000003CB0000-0x00000000040B2000-memory.dmp

memory/1724-16-0x0000000000A40000-0x0000000000E42000-memory.dmp

memory/1724-26-0x0000000000A40000-0x0000000000E42000-memory.dmp

C:\blockComagentCommon\XXy2W.vbe

MD5 ee52ea71feea8207e6afa75e86438d08
SHA1 8c833feedc8ac64a1424e663eb3dbb2013ba6142
SHA256 b482dc0529de14c5771702f8b4bdcc5a256c26611a84b569e4a997b466637b0d
SHA512 b09342f5caa69c1bf9481d9fc2284379626f6d2c3131d763d3a2198ccb0ddc5caf3a4f464a150cd9b0ebfc9b9c7aa1689af9000e14eaace36fe5247152ebc1c4

C:\blockComagentCommon\0xQrS65tkQIWur3PmtNOw.bat

MD5 ec36e67c09c4a57473bdb8237c55d18b
SHA1 03793c2750fca27259996873fb22c26ce8868cd1
SHA256 cc2d6e7836cc1772f50b3b10b0514139b5ecd5d3270607b60a1713b383f3c03f
SHA512 97bbdc60b22d2710a8b63108b544db7cb0c5da995334ad44ee347dbb84e0482e42ccee1d6881eec61cf6648e5c1e950450e828af85ffeed40b7778c26c1cf52c

\blockComagentCommon\bridgehypercom.exe

MD5 33776154d16b2ab16c0dc64063eecab0
SHA1 3a28e93ed82b8cc4081ec29abbb83fa35c25d9f4
SHA256 c093b10412252d75b8da533e378a0766d7e7db00db41d5c0f4794ed0ef95a863
SHA512 2c67ca3b79deb45ed0917390c2c226dc804ebd6548b2feff38457161312561cad8e7729796053269ce24d9f08ac25cfe6aaff82efd1c7e2766158eb732ec2869

memory/2488-33-0x00000000009E0000-0x0000000000B12000-memory.dmp

memory/2488-34-0x0000000000140000-0x000000000015C000-memory.dmp

memory/2488-35-0x0000000000160000-0x0000000000176000-memory.dmp

memory/2488-36-0x0000000000180000-0x000000000018C000-memory.dmp

memory/2564-77-0x0000000000810000-0x0000000000942000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 16:33

Reported

2024-06-19 16:38

Platform

win10v2004-20240611-en

Max time kernel

193s

Max time network

297s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Desktop.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\5940a34987c991 C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\MoUsoCoreWorker.exe\", \"C:\\Windows\\tracing\\RuntimeBroker.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\sihost.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\AcroCef\\dllhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\MoUsoCoreWorker.exe\", \"C:\\Windows\\tracing\\RuntimeBroker.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\sihost.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\AcroCef\\dllhost.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\MoUsoCoreWorker.exe\", \"C:\\Windows\\tracing\\RuntimeBroker.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\sihost.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\AcroCef\\dllhost.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Windows\\twain_32\\csrss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\MoUsoCoreWorker.exe\", \"C:\\Windows\\tracing\\RuntimeBroker.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\sihost.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\AcroCef\\dllhost.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Windows\\twain_32\\csrss.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Idle.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\MoUsoCoreWorker.exe\", \"C:\\Windows\\tracing\\RuntimeBroker.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\sihost.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\AcroCef\\dllhost.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Windows\\twain_32\\csrss.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Idle.exe\", \"C:\\Users\\Public\\Videos\\winlogon.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\blockComagentCommon\\taskhostw.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\MoUsoCoreWorker.exe\", \"C:\\Windows\\tracing\\RuntimeBroker.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\sihost.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\AcroCef\\dllhost.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Windows\\twain_32\\csrss.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Idle.exe\", \"C:\\Users\\Public\\Videos\\winlogon.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\MoUsoCoreWorker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\MoUsoCoreWorker.exe\", \"C:\\Windows\\tracing\\RuntimeBroker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\MoUsoCoreWorker.exe\", \"C:\\Windows\\tracing\\RuntimeBroker.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\sihost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\", \"C:\\Windows\\DiagTrack\\Settings\\MoUsoCoreWorker.exe\", \"C:\\Windows\\tracing\\RuntimeBroker.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\sihost.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\AcroCef\\dllhost.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Windows\\twain_32\\csrss.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Idle.exe\", \"C:\\Users\\Public\\Videos\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\blockComagentCommon\bridgehypercom.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Desktop.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Windows\\DiagTrack\\Settings\\MoUsoCoreWorker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\Provisioning\\Autopilot\\sihost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Fonts\\dllhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\Provisioning\\Autopilot\\sihost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\AcroCef\\dllhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Videos\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\blockComagentCommon\\taskhostw.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dllhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Windows\\DiagTrack\\Settings\\MoUsoCoreWorker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\AcroCef\\dllhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Fonts\\dllhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\twain_32\\csrss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\7-Zip\\Lang\\Idle.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\tracing\\RuntimeBroker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\tracing\\RuntimeBroker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\twain_32\\csrss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\7-Zip\\Lang\\Idle.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Videos\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\blockComagentCommon\\taskhostw.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\9e8d7a4ca61bd9 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\5940a34987c991 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\7-Zip\Lang\Idle.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\7-Zip\Lang\6ccacd8608530f C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Microsoft Office\RuntimeBroker.exe C:\blockComagentCommon\bridgehypercom.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\DiagTrack\Settings\1f93f77a7f4778 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\tracing\9e8d7a4ca61bd9 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\Provisioning\Autopilot\sihost.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\Provisioning\Autopilot\66fc9ff0ee96c2 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\Fonts\dllhost.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\twain_32\csrss.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\DiagTrack\Settings\MoUsoCoreWorker.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\servicing\Sessions\TiWorker.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\tracing\RuntimeBroker.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\Fonts\5940a34987c991 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\twain_32\886983d96e3d3e C:\blockComagentCommon\bridgehypercom.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\blockComagentCommon\bridgehypercom.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 2964 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 2964 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 2176 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 2176 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 2176 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 1108 wrote to memory of 1212 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1108 wrote to memory of 1212 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1108 wrote to memory of 1212 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 1212 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 2204 wrote to memory of 756 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe
PID 2204 wrote to memory of 756 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Desktop.exe

"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"

C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe

"C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\blockComagentCommon\XXy2W.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\blockComagentCommon\0xQrS65tkQIWur3PmtNOw.bat" "

C:\blockComagentCommon\bridgehypercom.exe

"C:\blockComagentCommon\bridgehypercom.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\Settings\MoUsoCoreWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\Settings\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\tracing\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Autopilot\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Provisioning\Autopilot\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Videos\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\blockComagentCommon\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\blockComagentCommon\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\blockComagentCommon\taskhostw.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe

"C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\dllhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 a0997784.xsph.ru udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
US 8.8.8.8:53 6.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp

Files

C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe

MD5 64ed6494574d0ba822e98074dabda896
SHA1 6e845b1a861ca646e3313376bf87c429f84a991e
SHA256 18fdd096e9679a79cd0bd34094861950354f8e26d890458ecc944aab966c2473
SHA512 5f67126746c522e2d73dccf194aa04eb3a5a896a9e7ea69cfe263dc8eaf05c5685353b02c06b7609456bc81ce580b8eaa16b4393632f74fbe93b1afae66928b9

memory/2176-11-0x0000000000630000-0x0000000000A32000-memory.dmp

memory/2176-19-0x0000000000630000-0x0000000000A32000-memory.dmp

C:\blockComagentCommon\XXy2W.vbe

MD5 ee52ea71feea8207e6afa75e86438d08
SHA1 8c833feedc8ac64a1424e663eb3dbb2013ba6142
SHA256 b482dc0529de14c5771702f8b4bdcc5a256c26611a84b569e4a997b466637b0d
SHA512 b09342f5caa69c1bf9481d9fc2284379626f6d2c3131d763d3a2198ccb0ddc5caf3a4f464a150cd9b0ebfc9b9c7aa1689af9000e14eaace36fe5247152ebc1c4

C:\blockComagentCommon\0xQrS65tkQIWur3PmtNOw.bat

MD5 ec36e67c09c4a57473bdb8237c55d18b
SHA1 03793c2750fca27259996873fb22c26ce8868cd1
SHA256 cc2d6e7836cc1772f50b3b10b0514139b5ecd5d3270607b60a1713b383f3c03f
SHA512 97bbdc60b22d2710a8b63108b544db7cb0c5da995334ad44ee347dbb84e0482e42ccee1d6881eec61cf6648e5c1e950450e828af85ffeed40b7778c26c1cf52c

C:\blockComagentCommon\bridgehypercom.exe

MD5 33776154d16b2ab16c0dc64063eecab0
SHA1 3a28e93ed82b8cc4081ec29abbb83fa35c25d9f4
SHA256 c093b10412252d75b8da533e378a0766d7e7db00db41d5c0f4794ed0ef95a863
SHA512 2c67ca3b79deb45ed0917390c2c226dc804ebd6548b2feff38457161312561cad8e7729796053269ce24d9f08ac25cfe6aaff82efd1c7e2766158eb732ec2869

memory/2204-25-0x0000000000D00000-0x0000000000E32000-memory.dmp

memory/2204-26-0x0000000003170000-0x000000000318C000-memory.dmp

memory/2204-27-0x000000001C130000-0x000000001C180000-memory.dmp

memory/2204-28-0x000000001BA60000-0x000000001BA76000-memory.dmp

memory/2204-29-0x000000001BA80000-0x000000001BA8C000-memory.dmp