Malware Analysis Report

2024-11-13 13:46

Sample ID 240720-wabc8svbpd
Target f4211bfb02fddddf810c3cc71b249020N.exe
SHA256 877d472af519397f8e8be5dcf8c756aed03e5ce022e6eba821f107336154ef81
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

877d472af519397f8e8be5dcf8c756aed03e5ce022e6eba821f107336154ef81

Threat Level: Known bad

The file f4211bfb02fddddf810c3cc71b249020N.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

UAC bypass

DCRat payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-20 17:42

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-20 17:42

Reported

2024-07-20 17:44

Platform

win7-20240705-en

Max time kernel

90s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\56085415360792 C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files\7-Zip\Lang\dllhost.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files\7-Zip\Lang\5940a34987c991 C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\winlogon.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\conhost.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\24dbde2999530e C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\cc11b995f2a76d C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\conhost.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\088424020bedd6 C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\System.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Windows\Fonts\27d1bcfc3c54e0 C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Windows\de-DE\services.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Windows\de-DE\c5b4cb5e9653cc C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe C:\Windows\SysWOW64\WScript.exe
PID 2392 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe C:\Windows\SysWOW64\WScript.exe
PID 2392 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe C:\Windows\SysWOW64\WScript.exe
PID 2392 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe C:\Windows\SysWOW64\WScript.exe
PID 2112 wrote to memory of 2712 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2712 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2712 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2712 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe
PID 2712 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe
PID 2712 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe
PID 2712 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe
PID 2728 wrote to memory of 2624 N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe
PID 2728 wrote to memory of 2624 N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe
PID 2728 wrote to memory of 2624 N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe

"C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Chainserverhostnetcommon\YJTOmpNsmC9R7eL.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Chainserverhostnetcommon\xvJlHi5CymWgg0Dp0wux5lJOn26p.bat" "

C:\Chainserverhostnetcommon\sessionbrokerHost.exe

"C:\Chainserverhostnetcommon\sessionbrokerHost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Chainserverhostnetcommon\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Chainserverhostnetcommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Chainserverhostnetcommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\NetHood\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Chainserverhostnetcommon\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Chainserverhostnetcommon\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Chainserverhostnetcommon\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\winlogon.exe'" /rl HIGHEST /f

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cp57330.tw1.ru udp
RU 185.114.247.170:80 cp57330.tw1.ru tcp
RU 185.114.247.170:80 cp57330.tw1.ru tcp
RU 185.114.247.170:80 cp57330.tw1.ru tcp

Files

C:\Chainserverhostnetcommon\YJTOmpNsmC9R7eL.vbe

MD5 d47f398bcb4d7af45368ac7e2b7956e4
SHA1 8acbdd4ae19bcad76b7ed2dfd94fa102df2914a6
SHA256 97dba9f4d3e8ba6fa8f6f4534f4ed92bb85849d2da045abc84ef54d8777208db
SHA512 e63133d63e32081267d71220d54f3277559cf0f74883c6dd34bac8c73a41ef905ff4d66f2d9961af37cf07384f2f383e005d8b1bda8740807f1c295a581f5ee0

C:\Chainserverhostnetcommon\xvJlHi5CymWgg0Dp0wux5lJOn26p.bat

MD5 e9cd2d5648ebb737cc9be7dbdf969056
SHA1 3e34a5cd97ed60e282301025ddca974614d74c5a
SHA256 a154e1f761b72ef3fa982881229ac2ee7d9d358285ee241c911fde570f376bbe
SHA512 e61b01bc01ffea738d9e4c7afd400fe815c46ee16223fdb9971b843d55e509b6529cbc0f0d36906b3d12ffc8124ad940499ab318573309bb624544e7bd17ad17

C:\Chainserverhostnetcommon\sessionbrokerHost.exe

MD5 f889fcff1de0857b351474a2e794b7ca
SHA1 c5c9be94d9bf74a382d01374a869b2c34f7179ac
SHA256 48b84c11bf2ccfe73802565024f5abc589b9bef4c0aece8439baee4f260112e0
SHA512 1d2bad15de6c57f699a81a13288be968bc0638b7629d741b795b07f608a0d8928d92da5f76d121ea0ed95fbc13c5ece7403fe8accb1aa870acda6414e7b6a561

memory/2728-13-0x0000000001290000-0x000000000137E000-memory.dmp

memory/2728-14-0x0000000000150000-0x0000000000158000-memory.dmp

memory/2728-15-0x0000000000160000-0x000000000016A000-memory.dmp

memory/2728-16-0x0000000000170000-0x000000000017C000-memory.dmp

memory/2624-61-0x0000000000090000-0x000000000017E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-20 17:42

Reported

2024-07-20 17:44

Platform

win10v2004-20240709-en

Max time kernel

101s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\DESIGNER\taskhostw.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\121e5b5079f7c0 C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\f3b6ecef712a24 C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File opened for modification C:\Program Files\Common Files\DESIGNER\taskhostw.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\6cb0b6c459d5d3 C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files\Common Files\DESIGNER\ea9f0e6c9e2dcd C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files\Windows Portable Devices\56085415360792 C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\Google\Temp\SppExtComObj.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\Google\Temp\e1ef82546f0b02 C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files\Windows Portable Devices\wininit.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\TrustedInstaller.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\04c1e7795967e4 C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\sysmon.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\spoolsv.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RemotePackages\conhost.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
File created C:\Windows\RemotePackages\088424020bedd6 C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe C:\Windows\SysWOW64\WScript.exe
PID 4028 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe C:\Windows\SysWOW64\WScript.exe
PID 4028 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe C:\Windows\SysWOW64\WScript.exe
PID 4860 wrote to memory of 1296 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 1296 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 1296 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe
PID 1296 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Chainserverhostnetcommon\sessionbrokerHost.exe
PID 2448 wrote to memory of 3516 N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe C:\Windows\System32\cmd.exe
PID 2448 wrote to memory of 3516 N/A C:\Chainserverhostnetcommon\sessionbrokerHost.exe C:\Windows\System32\cmd.exe
PID 3516 wrote to memory of 1220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3516 wrote to memory of 1220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3516 wrote to memory of 4336 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe
PID 3516 wrote to memory of 4336 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Chainserverhostnetcommon\sessionbrokerHost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe

"C:\Users\Admin\AppData\Local\Temp\f4211bfb02fddddf810c3cc71b249020N.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Chainserverhostnetcommon\YJTOmpNsmC9R7eL.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Chainserverhostnetcommon\xvJlHi5CymWgg0Dp0wux5lJOn26p.bat" "

C:\Chainserverhostnetcommon\sessionbrokerHost.exe

"C:\Chainserverhostnetcommon\sessionbrokerHost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\DESIGNER\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Chainserverhostnetcommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Chainserverhostnetcommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Chainserverhostnetcommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Chainserverhostnetcommon\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Chainserverhostnetcommon\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Chainserverhostnetcommon\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VI0zTzLboc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe

"C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 cp57330.tw1.ru udp
RU 185.114.247.170:80 cp57330.tw1.ru tcp
RU 185.114.247.170:80 cp57330.tw1.ru tcp
US 8.8.8.8:53 170.247.114.185.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 185.114.247.170:80 cp57330.tw1.ru tcp
US 8.8.8.8:53 18.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

C:\Chainserverhostnetcommon\YJTOmpNsmC9R7eL.vbe

MD5 d47f398bcb4d7af45368ac7e2b7956e4
SHA1 8acbdd4ae19bcad76b7ed2dfd94fa102df2914a6
SHA256 97dba9f4d3e8ba6fa8f6f4534f4ed92bb85849d2da045abc84ef54d8777208db
SHA512 e63133d63e32081267d71220d54f3277559cf0f74883c6dd34bac8c73a41ef905ff4d66f2d9961af37cf07384f2f383e005d8b1bda8740807f1c295a581f5ee0

C:\Chainserverhostnetcommon\xvJlHi5CymWgg0Dp0wux5lJOn26p.bat

MD5 e9cd2d5648ebb737cc9be7dbdf969056
SHA1 3e34a5cd97ed60e282301025ddca974614d74c5a
SHA256 a154e1f761b72ef3fa982881229ac2ee7d9d358285ee241c911fde570f376bbe
SHA512 e61b01bc01ffea738d9e4c7afd400fe815c46ee16223fdb9971b843d55e509b6529cbc0f0d36906b3d12ffc8124ad940499ab318573309bb624544e7bd17ad17

C:\Chainserverhostnetcommon\sessionbrokerHost.exe

MD5 f889fcff1de0857b351474a2e794b7ca
SHA1 c5c9be94d9bf74a382d01374a869b2c34f7179ac
SHA256 48b84c11bf2ccfe73802565024f5abc589b9bef4c0aece8439baee4f260112e0
SHA512 1d2bad15de6c57f699a81a13288be968bc0638b7629d741b795b07f608a0d8928d92da5f76d121ea0ed95fbc13c5ece7403fe8accb1aa870acda6414e7b6a561

memory/2448-12-0x00007FF90DA23000-0x00007FF90DA25000-memory.dmp

memory/2448-13-0x00000000007F0000-0x00000000008DE000-memory.dmp

memory/2448-14-0x00000000010A0000-0x00000000010A8000-memory.dmp

memory/2448-15-0x0000000002AB0000-0x0000000002ABA000-memory.dmp

memory/2448-16-0x0000000002B10000-0x0000000002B1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VI0zTzLboc.bat

MD5 938578a8973f8bdee79eee6be7561d4b
SHA1 9ff2e9392ded332565383450e2804075bf3dd708
SHA256 2822d6a4208cd45f7b6d7f1a6b6f5161a63762631060a8c29deaecd56075aeef
SHA512 391d043b1be59c4ae4be4d9ea760673970d69833ca0783b98dff6b6729d0c6bc8491b3089a96575224a61da974d883ff3d01ad92ebaabb2546e7fde01fbd539d