dcrat | fad45be55844aba24256cc8d0bb7a944a6d3156311bb024849921ae1d27372af

Analysis

max time kernel
95s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pisonegro.exe
Size

1.2MB
MD5

520e47b311f00975c4d3e7efb4233525
SHA1

5ddcdb8b9beb7bfcf4d53e2ecbd9f9637b23ec3a
SHA256

fad45be55844aba24256cc8d0bb7a944a6d3156311bb024849921ae1d27372af
SHA512

ac5795fdc0f2b60a7a3b4fbea18814b700061a0fcf148c73b67ba9477be502203862ab62f1f15bfdf622810d230355814a0414ca16befc3bfaf2cc8fca72968a
SSDEEP

24576:u2G/nvxW3WieCf/sKqceu7PcOa03engQw8mnM0g5FHt:ubA3jf/4ctastg5FN

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	4488	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	4488	schtasks.exe	92

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000023ca1-15.dat	dcrat
behavioral1/memory/212-17-0x0000000000810000-0x00000000008F8000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	pisonegro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	intohost.exe

Executes dropped EXE 2 IoCs

pid	Process
212	intohost.exe
1352	WaaSMedicAgent.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\ado\en-US\eddb19405b7ce1	intohost.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\088424020bedd6	intohost.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\0a1fd5f707cd16	intohost.exe
File created	C:\Program Files\Microsoft Office\886983d96e3d3e	intohost.exe
File created	C:\Program Files\ModifiableWindowsApps\services.exe	intohost.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe	intohost.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\24dbde2999530e	intohost.exe
File created	C:\Program Files (x86)\Adobe\7a0fd90576e088	intohost.exe
File created	C:\Program Files\7-Zip\121e5b5079f7c0	intohost.exe
File opened for modification	C:\Program Files\7-Zip\sysmon.exe	intohost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\upfc.exe	intohost.exe
File created	C:\Program Files\Microsoft Office\csrss.exe	intohost.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\backgroundTaskHost.exe	intohost.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\eddb19405b7ce1	intohost.exe
File created	C:\Program Files (x86)\Common Files\System\ado\en-US\backgroundTaskHost.exe	intohost.exe
File created	C:\Program Files (x86)\Adobe\explorer.exe	intohost.exe
File created	C:\Program Files\7-Zip\sysmon.exe	intohost.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe	intohost.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sppsvc.exe	intohost.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\conhost.exe	intohost.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\ea1d8f6d871115	intohost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\ea1d8f6d871115	intohost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logs\MoSetup\eddb19405b7ce1	intohost.exe
File created	C:\Windows\Logs\MoSetup\backgroundTaskHost.exe	intohost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pisonegro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	pisonegro.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	intohost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1764	schtasks.exe
4876	schtasks.exe
1340	schtasks.exe
5116	schtasks.exe
2908	schtasks.exe
4944	schtasks.exe
1976	schtasks.exe
4404	schtasks.exe
4464	schtasks.exe
4436	schtasks.exe
464	schtasks.exe
2736	schtasks.exe
1180	schtasks.exe
1044	schtasks.exe
3760	schtasks.exe
3348	schtasks.exe
2672	schtasks.exe
376	schtasks.exe
2976	schtasks.exe
3412	schtasks.exe
2200	schtasks.exe
2188	schtasks.exe
2676	schtasks.exe
1460	schtasks.exe
3312	schtasks.exe
3804	schtasks.exe
2288	schtasks.exe
4268	schtasks.exe
552	schtasks.exe
3100	schtasks.exe
2456	schtasks.exe
2460	schtasks.exe
4244	schtasks.exe
3928	schtasks.exe
3712	schtasks.exe
1512	schtasks.exe
1724	schtasks.exe
4036	schtasks.exe
2580	schtasks.exe
1912	schtasks.exe
1040	schtasks.exe
1544	schtasks.exe
5068	schtasks.exe
4108	schtasks.exe
2084	schtasks.exe
3384	schtasks.exe
2716	schtasks.exe
1028	schtasks.exe
4812	schtasks.exe
1604	schtasks.exe
4676	schtasks.exe
1904	schtasks.exe
560	schtasks.exe
4872	schtasks.exe
4544	schtasks.exe
3424	schtasks.exe
4304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
212	intohost.exe
212	intohost.exe
212	intohost.exe
212	intohost.exe
212	intohost.exe
212	intohost.exe
212	intohost.exe
1352	WaaSMedicAgent.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	intohost.exe
Token: SeDebugPrivilege	1352	WaaSMedicAgent.exe
Token: SeDebugPrivilege	3424	taskmgr.exe
Token: SeSystemProfilePrivilege	3424	taskmgr.exe
Token: SeCreateGlobalPrivilege	3424	taskmgr.exe
Token: 33	3424	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3424	taskmgr.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe
3424	taskmgr.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 4432	1176	pisonegro.exe	84
PID 1176 wrote to memory of 4432	1176	pisonegro.exe	84
PID 1176 wrote to memory of 4432	1176	pisonegro.exe	84
PID 1176 wrote to memory of 372	1176	pisonegro.exe	85
PID 1176 wrote to memory of 372	1176	pisonegro.exe	85
PID 1176 wrote to memory of 372	1176	pisonegro.exe	85
PID 4432 wrote to memory of 1816	4432	WScript.exe	93
PID 4432 wrote to memory of 1816	4432	WScript.exe	93
PID 4432 wrote to memory of 1816	4432	WScript.exe	93
PID 1816 wrote to memory of 212	1816	cmd.exe	95
PID 1816 wrote to memory of 212	1816	cmd.exe	95
PID 212 wrote to memory of 2528	212	intohost.exe	153
PID 212 wrote to memory of 2528	212	intohost.exe	153
PID 2528 wrote to memory of 4504	2528	cmd.exe	155
PID 2528 wrote to memory of 4504	2528	cmd.exe	155
PID 2528 wrote to memory of 1352	2528	cmd.exe	163
PID 2528 wrote to memory of 1352	2528	cmd.exe	163

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\pisonegro.exe
"C:\Users\Admin\AppData\Local\Temp\pisonegro.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BlockHost\MPMCX7GGGQWRWzNwG1.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BlockHost\vfd2oiu72zA72rwy7zm5gOTNZUOOE.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\BlockHost\intohost.exe
      "C:\BlockHost\intohost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:212
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kCnZCNu98y.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4504
      - C:\Recovery\WindowsRE\WaaSMedicAgent.exe
        
        "C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BlockHost\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\MoSetup\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Logs\MoSetup\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\MoSetup\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\ssh\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\ssh\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\System\ado\en-US\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\ado\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\System\ado\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\USOShared\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\USOShared\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\BlockHost\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\BlockHost\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\BlockHost\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockHost\MPMCX7GGGQWRWzNwG1.vbe

Filesize
215B

MD5
c771a57f9482017ab7f185f77da18fad

SHA1
7167f950f87d5fc4853ae5e8cab9d0bc2bf0fd6d

SHA256
87305002282db2dea62a9f3857bed6b2fe7dab43db6bb9d8a1c8aba3997034ab

SHA512
6b81583e6769a7bb1a557a42c71994924fa2b0eee164003b2d0e64d791a725ef8216c153e4f2d698bb74e389daf4e5aadba5b15029528a572defc30188eaeb7f

Download Submit
C:\BlockHost\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\BlockHost\intohost.exe

Filesize
898KB

MD5
a8728c1aab06ea9b9a1b99b90184a409

SHA1
74cb9ed38bc0d3842b4b669c04736fcdd3b81477

SHA256
f7cb372c6a56a0a669f48dd3a7c6ac6f39fffcc1a9ce98d739fe329509bbebdb

SHA512
4d6fcfb15918bcb64761464964d5712f1f6a9b512af5ea78746ff72e58f9c1d684ea1d7e826499292682d273a587ece7847e3134ff356c43406d73e019ffd551

Download Submit
C:\BlockHost\vfd2oiu72zA72rwy7zm5gOTNZUOOE.bat

Filesize
27B

MD5
8addf805f5e3bae7984bc04eb7721486

SHA1
09e7ed6a948c17197fa0425dbdc431a902eeab97

SHA256
be47d772ecc9a0bb882bfc1586436aa6aec5642f77ab83013dc180608d4d9ca4

SHA512
7ba099628ebcee9b110af3ff6c30e5901f5e410c5f464cc0cb26c69bcb836bc89a74411f73cdc1444a473157349284946442541450ec902de60c7577b919045e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kCnZCNu98y.bat

Filesize
205B

MD5
c9e73f4110bc87d14e813c35921363c1

SHA1
7a181fbd81ec1e5605ebc3eb23c436c29bd8c24d

SHA256
e87e09d3e8b9abaa30ea370e34b4a07c11f6d68873d7efdb055572c2d2d8763a

SHA512
305b6f57506f703278d235b7a5ff20ee57d2c06083563d4aff7e11a6796f37cf556cbb32df0313d402b6b2be3af672d46649031aeb048b339d4e416f5e7b8c6d

Download Submit
memory/212-17-0x0000000000810000-0x00000000008F8000-memory.dmp

Filesize
928KB

Download
memory/212-18-0x00000000010E0000-0x00000000010EE000-memory.dmp

Filesize
56KB

Download
memory/3424-68-0x000001CDC4B40000-0x000001CDC4B41000-memory.dmp

Filesize
4KB

Download
memory/3424-67-0x000001CDC4B40000-0x000001CDC4B41000-memory.dmp

Filesize
4KB

Download
memory/3424-69-0x000001CDC4B40000-0x000001CDC4B41000-memory.dmp

Filesize
4KB

Download
memory/3424-73-0x000001CDC4B40000-0x000001CDC4B41000-memory.dmp

Filesize
4KB

Download
memory/3424-75-0x000001CDC4B40000-0x000001CDC4B41000-memory.dmp

Filesize
4KB

Download
memory/3424-79-0x000001CDC4B40000-0x000001CDC4B41000-memory.dmp

Filesize
4KB

Download
memory/3424-78-0x000001CDC4B40000-0x000001CDC4B41000-memory.dmp

Filesize
4KB

Download
memory/3424-77-0x000001CDC4B40000-0x000001CDC4B41000-memory.dmp

Filesize
4KB

Download
memory/3424-76-0x000001CDC4B40000-0x000001CDC4B41000-memory.dmp

Filesize
4KB

Download
memory/3424-74-0x000001CDC4B40000-0x000001CDC4B41000-memory.dmp

Filesize
4KB

Download