dcrat | e7706dd5f9b91a20bc5881f9efd75af166942828a426879343df9454f767ece9

Resubmissions

23/01/2025, 15:13

250123-sl31vatmct 10

23/01/2025, 15:12

250123-slbllavndp 7

Analysis

max time kernel
32s
max time network
54s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
23/01/2025, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrackNursultan (2).exe
Size

2.1MB
MD5

e9b8ce25037c26fe63171b24f06d04ec
SHA1

e33459bc02a1cd4824bb9f44c89b05dce7e20cec
SHA256

e7706dd5f9b91a20bc5881f9efd75af166942828a426879343df9454f767ece9
SHA512

ace3e8a023c6247b4e52cd09560c7c7f45af357dcaa14f26452741cddb2d09d94816b0e6bc79edefb03aa6e169385f0dfd039feba0e781a0e0884a3859100ef4
SSDEEP

24576:2TbBv5rUyXVs/ZFmQyOMPaRILC9j5oaKACNnAuuyGf2YnSeqjEwJdAXf0YaHssOq:IBJ8zAE9x5KNlueYSKdPNBp1rsvf

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Desktop\\unsecapp.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Desktop\\unsecapp.exe\", \"C:\\bridgeMsHyperServersaves\\upfc.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Desktop\\unsecapp.exe\", \"C:\\bridgeMsHyperServersaves\\upfc.exe\", \"C:\\Recovery\\OEM\\SearchApp.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Desktop\\unsecapp.exe\", \"C:\\bridgeMsHyperServersaves\\upfc.exe\", \"C:\\Recovery\\OEM\\SearchApp.exe\", \"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Desktop\\unsecapp.exe\", \"C:\\bridgeMsHyperServersaves\\upfc.exe\", \"C:\\Recovery\\OEM\\SearchApp.exe\", \"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\", \"C:\\Users\\Default\\Desktop\\dllhost.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Desktop\\unsecapp.exe\", \"C:\\bridgeMsHyperServersaves\\upfc.exe\", \"C:\\Recovery\\OEM\\SearchApp.exe\", \"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\", \"C:\\Users\\Default\\Desktop\\dllhost.exe\", \"C:\\bridgeMsHyperServersaves\\bridgeblocksurrogateServer.exe\""	bridgeblocksurrogateServer.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	2228	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	2228	schtasks.exe	86

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	CrackNursultan (2).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	bridgeblocksurrogateServer.exe

Executes dropped EXE 2 IoCs

pid	Process
1812	bridgeblocksurrogateServer.exe
3684	bridgeblocksurrogateServer.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblocksurrogateServer = "\"C:\\bridgeMsHyperServersaves\\bridgeblocksurrogateServer.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default\\Desktop\\unsecapp.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default\\Desktop\\unsecapp.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\bridgeMsHyperServersaves\\upfc.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\Desktop\\dllhost.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblocksurrogateServer = "\"C:\\bridgeMsHyperServersaves\\bridgeblocksurrogateServer.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\bridgeMsHyperServersaves\\upfc.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\OEM\\SearchApp.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\OEM\\SearchApp.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\""	bridgeblocksurrogateServer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\Desktop\\dllhost.exe\""	bridgeblocksurrogateServer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\hyotfa.exe	csc.exe
File created	\??\c:\Windows\System32\CSC115069E4A73E414AAB1828EE5A5C34AA.TMP	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrackNursultan (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000_Classes\Local Settings	CrackNursultan (2).exe
Key created	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000_Classes\Local Settings	bridgeblocksurrogateServer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1500	schtasks.exe
788	schtasks.exe
2636	schtasks.exe
4920	schtasks.exe
3424	schtasks.exe
2424	schtasks.exe
4752	schtasks.exe
1744	schtasks.exe
1944	schtasks.exe
3868	schtasks.exe
3180	schtasks.exe
716	schtasks.exe
2996	schtasks.exe
3672	schtasks.exe
3204	schtasks.exe
4600	schtasks.exe
732	schtasks.exe
3800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe
1812	bridgeblocksurrogateServer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	bridgeblocksurrogateServer.exe
Token: SeDebugPrivilege	3684	bridgeblocksurrogateServer.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 3708	1432	CrackNursultan (2).exe	81
PID 1432 wrote to memory of 3708	1432	CrackNursultan (2).exe	81
PID 1432 wrote to memory of 3708	1432	CrackNursultan (2).exe	81
PID 3708 wrote to memory of 1200	3708	WScript.exe	90
PID 3708 wrote to memory of 1200	3708	WScript.exe	90
PID 3708 wrote to memory of 1200	3708	WScript.exe	90
PID 1200 wrote to memory of 1812	1200	cmd.exe	92
PID 1200 wrote to memory of 1812	1200	cmd.exe	92
PID 1812 wrote to memory of 1328	1812	bridgeblocksurrogateServer.exe	96
PID 1812 wrote to memory of 1328	1812	bridgeblocksurrogateServer.exe	96
PID 1328 wrote to memory of 2504	1328	csc.exe	98
PID 1328 wrote to memory of 2504	1328	csc.exe	98
PID 1812 wrote to memory of 3292	1812	bridgeblocksurrogateServer.exe	114
PID 1812 wrote to memory of 3292	1812	bridgeblocksurrogateServer.exe	114
PID 3292 wrote to memory of 2924	3292	cmd.exe	116
PID 3292 wrote to memory of 2924	3292	cmd.exe	116
PID 3292 wrote to memory of 2676	3292	cmd.exe	117
PID 3292 wrote to memory of 2676	3292	cmd.exe	117
PID 3292 wrote to memory of 3684	3292	cmd.exe	118
PID 3292 wrote to memory of 3684	3292	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CrackNursultan (2).exe
"C:\Users\Admin\AppData\Local\Temp\CrackNursultan (2).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\bridgeMsHyperServersaves\8aU1Ht2JGPOaPOAacGdrdRd2tVHIcbmBVM.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\bridgeMsHyperServersaves\dmYoBflZKuj0WytFkBvrEdy5GIZt.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\bridgeMsHyperServersaves\bridgeblocksurrogateServer.exe
      "C:\bridgeMsHyperServersaves/bridgeblocksurrogateServer.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ctjihkrh\ctjihkrh.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF136.tmp" "c:\Windows\System32\CSC115069E4A73E414AAB1828EE5A5C34AA.TMP"
        6⤵
        
        PID:2504
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nTZrWZMheg.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3292
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2924
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2676
      - C:\bridgeMsHyperServersaves\bridgeblocksurrogateServer.exe
        
        "C:\bridgeMsHyperServersaves\bridgeblocksurrogateServer.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Desktop\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\bridgeMsHyperServersaves\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\bridgeMsHyperServersaves\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\bridgeMsHyperServersaves\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\OEM\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\OEM\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\OEM\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblocksurrogateServerb" /sc MINUTE /mo 13 /tr "'C:\bridgeMsHyperServersaves\bridgeblocksurrogateServer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblocksurrogateServer" /sc ONLOGON /tr "'C:\bridgeMsHyperServersaves\bridgeblocksurrogateServer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblocksurrogateServerb" /sc MINUTE /mo 6 /tr "'C:\bridgeMsHyperServersaves\bridgeblocksurrogateServer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bridgeblocksurrogateServer.exe.log

Filesize
1KB

MD5
3472240ba9018b36cebbb3fa4d9ecde2

SHA1
fa7d94af70df8bd1719c25cc1485c093354e3cb6

SHA256
4ff5eaa183765d37205065b36b4212117fe7cc93216a5cdc88649d8943b4f449

SHA512
4ac5bedcf0e686dd86e82ca4dc02f6ec0b5a3a5dd06056856dee7ef230f3abbf37e8237a08f3d9d31e24bf9c8a21eca04a824846a2f5bd50d6defd470a53db3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF136.tmp

Filesize
1KB

MD5
8c8386085480092250476d4b48a893b9

SHA1
c488328032ade7648ea2f787478ae6e301d9ba72

SHA256
2361b8b7231de42266fba1fdcd2b7d4ffa152232edb15067cbba2eaf8e65fb2d

SHA512
fd7f8b6e1a5f6a9ba1a55dee710d4a3c4fc566ef9190739b0571d56e1d7067571e05a2ad5b0a818a9507dadcf355051dc5a91d1feb444bd1c81dbb1d1ee1cc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nTZrWZMheg.bat

Filesize
234B

MD5
8f8ba20a0562829e3948435751916ace

SHA1
9e34e3ab1ee23ff59067d30e8295c82b9f8729bd

SHA256
6a7c823df0144ade7039e85650b0da54a2354efd8d764d4745af864961046edd

SHA512
9b4bd6c83092f00acd4a0dd53cbca8c686ccc66918394958ab254594abfcf002e40ba7938395e06b4177ef8a1b6010251daaafabad3729f50aee7fc446c71c89

Download Submit
C:\bridgeMsHyperServersaves\8aU1Ht2JGPOaPOAacGdrdRd2tVHIcbmBVM.vbe

Filesize
231B

MD5
ee9dbcbdf3bea0aa067657fc427f311d

SHA1
2fa9586b66a720bde1de53a8f3748f2b3488b7bc

SHA256
db75336fe141a767a78d6461ff1ad7b1366edc73c8c220d1aa9e1a5338d82793

SHA512
4db077f0bc0bdf24b32e4c1b2d43ce1f65666d68d4762090e54534b8b47ded35855d304599eaef35d44531604577d120a98859aa9759d68421350805dd0e1313

Download Submit
C:\bridgeMsHyperServersaves\bridgeblocksurrogateServer.exe

Filesize
1.8MB

MD5
9fff2599728f7a89e003899e01dc5f96

SHA1
d76587d6504cdaa13c5645602dc52dc4ea26f381

SHA256
29916607d62a33514dc43b137788d90f0db59bf2943f19fcee50867b8455ddbb

SHA512
8793bb247a0e888adcf0f534392c7e6c8549111ac5ebebf79ca4028b20b85d4583cb96ca9b444fa16625718caf4d929f35061791090384eb88444f1428989cf1

Download Submit
C:\bridgeMsHyperServersaves\dmYoBflZKuj0WytFkBvrEdy5GIZt.bat

Filesize
104B

MD5
dae798d37141fc446a8618bcda6c9e09

SHA1
bc4ded12200267bbb3e03e70d61e601ce9b43f4e

SHA256
207b1a4a610b6007bdd9f18b82fdc9d3dd2e15d9eac96984fd00a5188646b7e1

SHA512
8e9861790a1a0ddbb09df0b7646ae7cd5257f62cafb766c8d03d90e75401d93f445c667df47daacd048e9cd6e23d45ed5af60137403b3b49bde646e4f5cd30a0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ctjihkrh\ctjihkrh.0.cs

Filesize
369B

MD5
9e846830a5e793cfbd198a45018cb7f2

SHA1
5f82036bf2cfbff74b1b8ef8e517c9dc018a51f3

SHA256
5365424fea85344b877f56aaed8988db558e643e18291ba2195718831a21a555

SHA512
94107231278f5c5036911e711a19c2d485247d29b27d4f15a3de0b8eec2904cf37a938df2f18ef2f328fe6967a38ae3ca91c1267efd7209b160db29b7e1e5f43

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ctjihkrh\ctjihkrh.cmdline

Filesize
235B

MD5
722c13dfc2f35cb9da8e9a503127c6b6

SHA1
569c2b7b4f421cea248e824241e1672a0f70c50d

SHA256
9c9da8a611b8c9770e7ca0e4d0d5fbb5ac2dbccf4ac34bcb167dada6602ea911

SHA512
b593bc71680b28597de9c9af09e42918195b2534780a4e776fe2619c80977717e5a0e6d78af2ac7b70b1f7d8e50c28796675d3ce97b7538f1364d188060b73af

Download Submit
\??\c:\Windows\System32\CSC115069E4A73E414AAB1828EE5A5C34AA.TMP

Filesize
1KB

MD5
2a16f9c51fd2d80a216b5684e263650f

SHA1
7aaa9f96182e91584c17e7ba9ebfe2b3cf9c1ecb

SHA256
d8f3f017a2f66e367cd6ffde3a56e0512b23007d109003b26d502f74749ea742

SHA512
a4fd5d7cb8f77ac95863b12407ed4433e8c62ceda705cbea37c559a0b2def6ed993b235129ab5531332651ac1810519be9880e3292d794f7fe6e21ea01f1e735

Download Submit
memory/1812-16-0x0000000000BF0000-0x0000000000DCA000-memory.dmp

Filesize
1.9MB

Download
memory/1812-25-0x0000000002F60000-0x0000000002F6C000-memory.dmp

Filesize
48KB

Download
memory/1812-23-0x000000001BA30000-0x000000001BA48000-memory.dmp

Filesize
96KB

Download
memory/1812-21-0x000000001BDC0000-0x000000001BE10000-memory.dmp

Filesize
320KB

Download
memory/1812-20-0x000000001BA10000-0x000000001BA2C000-memory.dmp

Filesize
112KB

Download
memory/1812-18-0x0000000002E40000-0x0000000002E4E000-memory.dmp

Filesize
56KB

Download
memory/1812-15-0x00007FFA197D3000-0x00007FFA197D5000-memory.dmp

Filesize
8KB

Download