dcrat | ddbfbdf18dedc2329792c6fe87a8ac12486b54356ac3557d85b6b8282f8b2ca2

General

Target

Roblox.exe
Size

1.1MB
MD5

c99de49cafe024cda7d3e0a38aff5c55
SHA1

9aabf85ffeb296e8837801b86bd0db5d7bc09584
SHA256

ddbfbdf18dedc2329792c6fe87a8ac12486b54356ac3557d85b6b8282f8b2ca2
SHA512

9f7297343de31d9a5361b4273f28065f2e72c39650e09fe98295655a9d1d18c5f99898e988ce3c96c463d3708398e226b400d0495592f43c0b4232eddb76d12c
SSDEEP

24576:U2G/nvxW3Ww0tnZoqM4yV6IcCnVjMAarg8bc6C:UbA30nZ9M4ecgxB

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	3504	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	3504	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\winhost\Bridgeserverreview.exe	dcrat
behavioral1/memory/2760-13-0x0000000000530000-0x0000000000606000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Roblox.exeWScript.exeBridgeserverreview.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Roblox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Bridgeserverreview.exe

Executes dropped EXE 2 IoCs

Processes:

Bridgeserverreview.execonhost.exe

pid process

2760 Bridgeserverreview.exe
1184 conhost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

24 pastebin.com
23 pastebin.com

flow	ioc
24	pastebin.com
23	pastebin.com

Drops file in Program Files directory 16 IoCs

Processes:

Bridgeserverreview.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\defaults\pref\04c1e7795967e4	Bridgeserverreview.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\System.exe	Bridgeserverreview.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\eddb19405b7ce1	Bridgeserverreview.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe	Bridgeserverreview.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\9e8d7a4ca61bd9	Bridgeserverreview.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\conhost.exe	Bridgeserverreview.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\088424020bedd6	Bridgeserverreview.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\TrustedInstaller.exe	Bridgeserverreview.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe	Bridgeserverreview.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SearchApp.exe	Bridgeserverreview.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\38384e6a620884	Bridgeserverreview.exe
File created	C:\Program Files (x86)\Common Files\Java\5b884080fd4f94	Bridgeserverreview.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\27d1bcfc3c54e0	Bridgeserverreview.exe
File created	C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe	Bridgeserverreview.exe
File created	C:\Program Files\Windows Defender\de-DE\backgroundTaskHost.exe	Bridgeserverreview.exe
File created	C:\Program Files\Windows Defender\de-DE\eddb19405b7ce1	Bridgeserverreview.exe

Drops file in Windows directory 2 IoCs

Processes:

Bridgeserverreview.exe

description	ioc	process
File created	C:\Windows\CSC\StartMenuExperienceHost.exe	Bridgeserverreview.exe
File created	C:\Windows\Speech\Common\es-ES\Bridgeserverreview.exe	Bridgeserverreview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WScript.execmd.exeRoblox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 3 IoCs

Processes:

Bridgeserverreview.exetaskmgr.exeRoblox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Bridgeserverreview.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Roblox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1592	schtasks.exe
1432	schtasks.exe
384	schtasks.exe
2564	schtasks.exe
2028	schtasks.exe
1528	schtasks.exe
1532	schtasks.exe
1340	schtasks.exe
3408	schtasks.exe
4556	schtasks.exe
732	schtasks.exe
4764	schtasks.exe
4648	schtasks.exe
1356	schtasks.exe
2508	schtasks.exe
4160	schtasks.exe
1644	schtasks.exe
4940	schtasks.exe
1920	schtasks.exe
1052	schtasks.exe
2044	schtasks.exe
4132	schtasks.exe
1920	schtasks.exe
2552	schtasks.exe
936	schtasks.exe
4348	schtasks.exe
644	schtasks.exe
4476	schtasks.exe
4092	schtasks.exe
4468	schtasks.exe
2092	schtasks.exe
1028	schtasks.exe
3624	schtasks.exe
1868	schtasks.exe
3452	schtasks.exe
3232	schtasks.exe
4584	schtasks.exe
368	schtasks.exe
4312	schtasks.exe
2504	schtasks.exe
4420	schtasks.exe
384	schtasks.exe
3268	schtasks.exe
5084	schtasks.exe
4824	schtasks.exe
4856	schtasks.exe
1508	schtasks.exe
2408	schtasks.exe
5016	schtasks.exe
1440	schtasks.exe
1676	schtasks.exe
1280	schtasks.exe
2616	schtasks.exe
2056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

Bridgeserverreview.exetaskmgr.execonhost.exe

pid	process
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
2760	Bridgeserverreview.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1184	conhost.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1184	conhost.exe
1184	conhost.exe
1184	conhost.exe
1184	conhost.exe
1184	conhost.exe
1184	conhost.exe
1184	conhost.exe
1184	conhost.exe
1184	conhost.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1600 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Bridgeserverreview.exetaskmgr.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	2760	Bridgeserverreview.exe
Token: SeDebugPrivilege	1600	taskmgr.exe
Token: SeSystemProfilePrivilege	1600	taskmgr.exe
Token: SeCreateGlobalPrivilege	1600	taskmgr.exe
Token: SeDebugPrivilege	1184	conhost.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

taskmgr.exe

pid	process
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

taskmgr.exe

pid	process
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Roblox.exeWScript.execmd.exeBridgeserverreview.execmd.exe

description	pid	process	target process
PID 452 wrote to memory of 4920	452	Roblox.exe	WScript.exe
PID 452 wrote to memory of 4920	452	Roblox.exe	WScript.exe
PID 452 wrote to memory of 4920	452	Roblox.exe	WScript.exe
PID 4920 wrote to memory of 4772	4920	WScript.exe	cmd.exe
PID 4920 wrote to memory of 4772	4920	WScript.exe	cmd.exe
PID 4920 wrote to memory of 4772	4920	WScript.exe	cmd.exe
PID 4772 wrote to memory of 2760	4772	cmd.exe	Bridgeserverreview.exe
PID 4772 wrote to memory of 2760	4772	cmd.exe	Bridgeserverreview.exe
PID 2760 wrote to memory of 1908	2760	Bridgeserverreview.exe	cmd.exe
PID 2760 wrote to memory of 1908	2760	Bridgeserverreview.exe	cmd.exe
PID 1908 wrote to memory of 2484	1908	cmd.exe	w32tm.exe
PID 1908 wrote to memory of 2484	1908	cmd.exe	w32tm.exe
PID 1908 wrote to memory of 1184	1908	cmd.exe	conhost.exe
PID 1908 wrote to memory of 1184	1908	cmd.exe	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Roblox.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\winhost\pVpro8qXQlIQv8eFyZDzX7KdB4YV.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\winhost\SEvmHlUXIdQJ2qu1BTOOpiGOkun1.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\winhost\Bridgeserverreview.exe
      "C:\winhost\Bridgeserverreview.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hNyBNrrejb.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2484
      - C:\Program Files (x86)\Windows Defender\ja-JP\conhost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\winhost\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\winhost\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\winhost\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\de-DE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\de-DE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hNyBNrrejb.bat

Filesize
222B

MD5
44e1571b91e78b29133247b90b236718

SHA1
4a9f6e4bc957f1f5a752a9f6613d4cb96d8afe64

SHA256
c300317c33e77cfd28228a778e85bcfe609c16f03302bc2362457907514fc580

SHA512
538400cf5fef784fbee9dc31fc6eda474f8a15d381ca786cd4200a1bef6272740141e06e9ed3383320333e38213f51aeacf75205d36072a925f9b88088716685

Download Submit
C:\winhost\Bridgeserverreview.exe

Filesize
828KB

MD5
7b590accd699930f5a908e4043b2d906

SHA1
fe443207c857eab9c1881504d153532b0babaf36

SHA256
8360ee35ab4671dc44c388b030a7f15d81a23bdd74fc568a3b8460f34b117f53

SHA512
a0ce3a20e30b5f2681968b9bea9a17d2fdf4f8ed9b1e2b8e646d5450c91f5f21b8938a8107e96aa0c50b11edbe73416e27d393dea3ad18799f5d569527773a98

Download Submit
C:\winhost\SEvmHlUXIdQJ2qu1BTOOpiGOkun1.bat

Filesize
35B

MD5
eb899353e5046734f99e445e218e06e2

SHA1
9703ceb6fca84aabee941c647d58d970b566860f

SHA256
526cfad862828369b2f3300db4ee8f06c6491f9f54194a4b8590b331357dc1e5

SHA512
b2c645cf63c0ec26f80e855c7a499607dd660e444ce82ef5c44e86c0f5d1764ead84bb5ef13842ebc73bdf1613ff172b67c1911fea96d86549f9549a68af711e

Download Submit
C:\winhost\pVpro8qXQlIQv8eFyZDzX7KdB4YV.vbe

Filesize
213B

MD5
a0a4cb9f8743b8080b15699aa14d5998

SHA1
2883bd6441eeb4e2377042c9a1ab78e722ded8ac

SHA256
9f7c08810b39d6ad6aa2a1fa6aabeaccd64e0be326de8974ddae43563e0a5eb7

SHA512
18b3fb6847e899e0fb688eeeb6867c85ce1bec43d86ebd541ab8ab5120fb3bae61f6699e9290ef400da97f353d5a4126d52b22edc406ab3c09363d677276b71a

Download Submit
memory/1600-65-0x000002A92DE00000-0x000002A92DE01000-memory.dmp

Filesize
4KB

Download
memory/1600-56-0x000002A92DE00000-0x000002A92DE01000-memory.dmp

Filesize
4KB

Download
memory/1600-57-0x000002A92DE00000-0x000002A92DE01000-memory.dmp

Filesize
4KB

Download
memory/1600-58-0x000002A92DE00000-0x000002A92DE01000-memory.dmp

Filesize
4KB

Download
memory/1600-68-0x000002A92DE00000-0x000002A92DE01000-memory.dmp

Filesize
4KB

Download
memory/1600-67-0x000002A92DE00000-0x000002A92DE01000-memory.dmp

Filesize
4KB

Download
memory/1600-66-0x000002A92DE00000-0x000002A92DE01000-memory.dmp

Filesize
4KB

Download
memory/1600-64-0x000002A92DE00000-0x000002A92DE01000-memory.dmp

Filesize
4KB

Download
memory/1600-63-0x000002A92DE00000-0x000002A92DE01000-memory.dmp

Filesize
4KB

Download
memory/1600-62-0x000002A92DE00000-0x000002A92DE01000-memory.dmp

Filesize
4KB

Download
memory/2760-13-0x0000000000530000-0x0000000000606000-memory.dmp

Filesize
856KB

Download
memory/2760-12-0x00007FFD8C663000-0x00007FFD8C665000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads