Analysis
-
max time kernel
102s -
max time network
128s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-06-2024 18:40
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win11-20240611-en
General
-
Target
DCRatBuild.exe
-
Size
1.2MB
-
MD5
6dee040a3c47aa2adb89705eb28bd394
-
SHA1
13c5a360b9e8e30258512a403c6f78faf075571d
-
SHA256
3e1e599e07cd53bc658e035ebbb7a18948d43c246c6fdcbc72f834f57d94ab7e
-
SHA512
e22380cd2055f1baca4b021fde7f7ab5b85fb8544d0826ed7a93a0aa42cb8e01cc9d283a30747b005886f190f3065d699667bc81fd1a20269a536d26733909c9
-
SSDEEP
24576:U2G/nvxW3Ww0tCtqhWfawiFH/AFoMbmMi5QeAOZLoiw9zMZGtXT:UbA30OqhWofYbPGbLrG5
Malware Config
Signatures
-
DcRat 16 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeDCRatBuild.exepid process 2836 schtasks.exe 1780 schtasks.exe 3288 schtasks.exe 4660 schtasks.exe 3428 schtasks.exe 2028 schtasks.exe 4800 schtasks.exe 3320 schtasks.exe 2096 schtasks.exe 4504 schtasks.exe 2532 schtasks.exe 2932 schtasks.exe 4840 schtasks.exe 3296 schtasks.exe 3516 schtasks.exe Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings DCRatBuild.exe -
Modifies WinLogon for persistence 2 TTPs 5 IoCs
Processes:
agentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\", \"C:/Users/Admin/AppData/Local/\\StartMenuExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\SppExtComObj.exe\", \"C:/Users/Admin/AppData/Local/\\unsecapp.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\"" agentrefNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\"" agentrefNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\", \"C:/Users/Admin/AppData/Local/\\StartMenuExperienceHost.exe\"" agentrefNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\", \"C:/Users/Admin/AppData/Local/\\StartMenuExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\SppExtComObj.exe\"" agentrefNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\", \"C:/Users/Admin/AppData/Local/\\StartMenuExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\SppExtComObj.exe\", \"C:/Users/Admin/AppData/Local/\\unsecapp.exe\"" agentrefNet.exe -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3296 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4800 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 5100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3428 5100 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe dcrat behavioral1/memory/4524-13-0x0000000000260000-0x0000000000356000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2164 powershell.exe 3312 powershell.exe 2208 powershell.exe 1232 powershell.exe 896 powershell.exe 4748 powershell.exe 4464 powershell.exe 1076 powershell.exe 3288 powershell.exe 2128 powershell.exe -
Executes dropped EXE 16 IoCs
Processes:
agentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeOfficeClickToRun.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exepid process 4524 agentrefNet.exe 760 agentrefNet.exe 3052 agentrefNet.exe 1748 agentrefNet.exe 3268 agentrefNet.exe 1552 OfficeClickToRun.exe 2272 agentrefNet.exe 4508 agentrefNet.exe 1276 agentrefNet.exe 4068 agentrefNet.exe 1704 agentrefNet.exe 2676 agentrefNet.exe 3568 agentrefNet.exe 3340 agentrefNet.exe 2028 agentrefNet.exe 1876 agentrefNet.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
agentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\agentrefNet = "\"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\"" agentrefNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:/Users/Admin/AppData/Local/\\StartMenuExperienceHost.exe\"" agentrefNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:/Users/Admin/AppData/Local/\\unsecapp.exe\"" agentrefNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\"" agentrefNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\agentrefNet = "\"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\"" agentrefNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:/Users/Admin/AppData/Local/\\StartMenuExperienceHost.exe\"" agentrefNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:/Users/Admin/AppData/Local/\\SppExtComObj.exe\"" agentrefNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:/Users/Admin/AppData/Local/\\SppExtComObj.exe\"" agentrefNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:/Users/Admin/AppData/Local/\\unsecapp.exe\"" agentrefNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\"" agentrefNet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
agentrefNet.exeDCRatBuild.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings agentrefNet.exe Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings DCRatBuild.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2836 schtasks.exe 2932 schtasks.exe 3296 schtasks.exe 3428 schtasks.exe 2028 schtasks.exe 2532 schtasks.exe 3320 schtasks.exe 3516 schtasks.exe 2096 schtasks.exe 3288 schtasks.exe 4660 schtasks.exe 4504 schtasks.exe 4840 schtasks.exe 1780 schtasks.exe 4800 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
agentrefNet.exepowershell.exepowershell.exemsedge.exemsedge.exeagentrefNet.exepowershell.exepowershell.exeagentrefNet.exepowershell.exepowershell.exeagentrefNet.exepowershell.exepowershell.exemsedge.exeagentrefNet.exepowershell.exepowershell.exeOfficeClickToRun.exepid process 4524 agentrefNet.exe 4748 powershell.exe 896 powershell.exe 4748 powershell.exe 896 powershell.exe 2176 msedge.exe 2176 msedge.exe 5084 msedge.exe 5084 msedge.exe 760 agentrefNet.exe 2164 powershell.exe 2164 powershell.exe 4464 powershell.exe 4464 powershell.exe 2164 powershell.exe 4464 powershell.exe 3052 agentrefNet.exe 3052 agentrefNet.exe 2208 powershell.exe 3312 powershell.exe 2208 powershell.exe 3312 powershell.exe 2208 powershell.exe 3312 powershell.exe 1748 agentrefNet.exe 1748 agentrefNet.exe 1232 powershell.exe 1232 powershell.exe 1076 powershell.exe 1076 powershell.exe 1232 powershell.exe 1824 msedge.exe 1824 msedge.exe 3268 agentrefNet.exe 3268 agentrefNet.exe 1076 powershell.exe 2128 powershell.exe 2128 powershell.exe 3288 powershell.exe 3288 powershell.exe 2128 powershell.exe 3288 powershell.exe 1552 OfficeClickToRun.exe 1552 OfficeClickToRun.exe 1552 OfficeClickToRun.exe 1552 OfficeClickToRun.exe 1552 OfficeClickToRun.exe 1552 OfficeClickToRun.exe 1552 OfficeClickToRun.exe 1552 OfficeClickToRun.exe 1552 OfficeClickToRun.exe 1552 OfficeClickToRun.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
agentrefNet.exepowershell.exepowershell.exeagentrefNet.exepowershell.exepowershell.exeagentrefNet.exepowershell.exepowershell.exeagentrefNet.exepowershell.exepowershell.exeagentrefNet.exepowershell.exepowershell.exeOfficeClickToRun.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exeagentrefNet.exedescription pid process Token: SeDebugPrivilege 4524 agentrefNet.exe Token: SeDebugPrivilege 4748 powershell.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeDebugPrivilege 760 agentrefNet.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 4464 powershell.exe Token: SeDebugPrivilege 3052 agentrefNet.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeDebugPrivilege 3312 powershell.exe Token: SeDebugPrivilege 1748 agentrefNet.exe Token: SeDebugPrivilege 1232 powershell.exe Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 3268 agentrefNet.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 3288 powershell.exe Token: SeDebugPrivilege 1552 OfficeClickToRun.exe Token: SeDebugPrivilege 2272 agentrefNet.exe Token: SeDebugPrivilege 4508 agentrefNet.exe Token: SeDebugPrivilege 1276 agentrefNet.exe Token: SeDebugPrivilege 4068 agentrefNet.exe Token: SeDebugPrivilege 1704 agentrefNet.exe Token: SeDebugPrivilege 2676 agentrefNet.exe Token: SeDebugPrivilege 3568 agentrefNet.exe Token: SeDebugPrivilege 3340 agentrefNet.exe Token: SeDebugPrivilege 2028 agentrefNet.exe Token: SeDebugPrivilege 1876 agentrefNet.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
DCRatBuild.exeWScript.execmd.exeagentrefNet.execmd.exemsedge.exedescription pid process target process PID 4568 wrote to memory of 2364 4568 DCRatBuild.exe WScript.exe PID 4568 wrote to memory of 2364 4568 DCRatBuild.exe WScript.exe PID 4568 wrote to memory of 2364 4568 DCRatBuild.exe WScript.exe PID 2364 wrote to memory of 2272 2364 WScript.exe cmd.exe PID 2364 wrote to memory of 2272 2364 WScript.exe cmd.exe PID 2364 wrote to memory of 2272 2364 WScript.exe cmd.exe PID 2272 wrote to memory of 4524 2272 cmd.exe agentrefNet.exe PID 2272 wrote to memory of 4524 2272 cmd.exe agentrefNet.exe PID 4524 wrote to memory of 896 4524 agentrefNet.exe powershell.exe PID 4524 wrote to memory of 896 4524 agentrefNet.exe powershell.exe PID 4524 wrote to memory of 4748 4524 agentrefNet.exe powershell.exe PID 4524 wrote to memory of 4748 4524 agentrefNet.exe powershell.exe PID 4524 wrote to memory of 2752 4524 agentrefNet.exe cmd.exe PID 4524 wrote to memory of 2752 4524 agentrefNet.exe cmd.exe PID 2752 wrote to memory of 4784 2752 cmd.exe w32tm.exe PID 2752 wrote to memory of 4784 2752 cmd.exe w32tm.exe PID 2176 wrote to memory of 544 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 544 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 3840 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5084 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5084 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1324 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1324 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1324 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1324 2176 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- DcRat
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\agentrefNet.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NkfdZ2sUBf.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4784
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\StartMenuExperienceHost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464 -
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\SppExtComObj.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312 -
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\unsecapp.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232 -
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\OfficeClickToRun.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288 -
C:\Users\Admin\AppData\Local\OfficeClickToRun.exe"C:\Users\Admin\AppData\Local\OfficeClickToRun.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "agentrefNeta" /sc MINUTE /mo 13 /tr "'C:/Users/Admin/AppData/Local/\agentrefNet.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "agentrefNet" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\agentrefNet.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "agentrefNeta" /sc MINUTE /mo 5 /tr "'C:/Users/Admin/AppData/Local/\agentrefNet.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff71ce3cb8,0x7fff71ce3cc8,0x7fff71ce3cd82⤵PID:544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:22⤵PID:3840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5084 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:82⤵PID:1324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:1872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:3380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:12⤵PID:2956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:12⤵PID:1264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1824
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3716
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:/Users/Admin/AppData/Local/\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:/Users/Admin/AppData/Local/\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:/Users/Admin/AppData/Local/\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:/Users/Admin/AppData/Local/\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:/Users/Admin/AppData/Local/\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:/Users/Admin/AppData/Local/\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:/Users/Admin/AppData/Local/\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:/Users/Admin/AppData/Local/\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1496
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"1⤵PID:4616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "2⤵PID:5068
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "1⤵PID:4408
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"1⤵PID:4780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "2⤵PID:540
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"1⤵PID:1132
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe1⤵PID:4756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "2⤵PID:3700
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"1⤵PID:1884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "2⤵PID:3380
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"1⤵PID:2468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "2⤵PID:4800
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\agentrefNet.exe.logFilesize
1KB
MD5400b532c938aca538f01c5616cf318cd
SHA1598a59a9434e51a6416f91a4c83bd02505ecb846
SHA25628e57db6d7535775b5e65c90ab208c7fe392e373056db5d35e76854270ecd05d
SHA512b15583323c457d389b873eb31b8e59fef450c0c0e684b0f797231e8d0abace9227b15d4e45b45f4c79ad044a28cc3d79f9f7c2a81bd38e43b0c09f07aaa95b73
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a74887034b3a720c50e557d5b1c790bf
SHA1fb245478258648a65aa189b967590eef6fb167be
SHA256f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250
SHA512888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD564f055a833e60505264595e7edbf62f6
SHA1dad32ce325006c1d094b7c07550aca28a8dac890
SHA2567172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99
SHA51286644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD595cb61d0d9dfc51efef505e228a90e09
SHA16d72a0daf995b0828c04e425c4cd0aca1f98ee20
SHA256bd29fea6831484c6d1f02b7c505b5664cbbea4123d7e648bdadb6e2db6e2f8c9
SHA51248e729cfcd8232ab2952f824887acd643f3b87a150973d6109bebc81d833d8c50997865a8a2c2e2ccef786ddd63d75a21050e2c13d200d185ef5d964cb463ff2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD59722286a8dfaab8ad9d004d4726802ba
SHA150eb845681df413a613a39e536a1b1e1763c52cc
SHA256f421d9c15e564799e655ba14f56a2993bfc08b36a1a76a3f26586b1a0f841974
SHA512183b088cabccf60cdc95df768724311d5987a7569c622036055e775fb4d8e05b1fa241bf7e5fae5f541eb74c948847b327525936e7b901ecd3fb6a150ff18328
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59d0810010298365a363449d20b60d776
SHA16da75acccf66f2d154fbc99c1428e4e8b4133755
SHA256632e1c862997c0ab530441a83b76320120a58945d9a598f5be8c4296ae46c6aa
SHA512010ed4fc685814bcf46757aad7e860758c6fe8c41f8532693d4b85ff803a9ece98267584a1a4ee9cee976216554f972fd390c24e246909b61e17726cceb06bb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56f0e62045515b66d0a0105abc22dbf19
SHA1894d685122f3f3c9a3457df2f0b12b0e851b394c
SHA256529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319
SHA512f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cef328ddb1ee8916e7a658919323edd8
SHA1a676234d426917535e174f85eabe4ef8b88256a5
SHA256a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90
SHA512747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e2a31e1252ec9fb5e5070e76e8382730
SHA129d9f01cd687fc8f80ff5126cddd7cf5a8d288e4
SHA25649b6791b42702b8590eb28190ad1bc5c74c1c106bf17a1807276f09912d43b2b
SHA512098c9d26d3745ac9b34099c47a7189adcdb01777196244dd5bf35ebb67e33cc31cc2357089f50c6fec512eddaa55bfda2cb4b30f4a5d0ed44df2933a0fbbf1c7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5051a74485331f9d9f5014e58ec71566c
SHA14ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA2563f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA5121f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
C:\Users\Admin\AppData\Local\Temp\NkfdZ2sUBf.batFilesize
240B
MD540a3ffae092138ca6e9e3774cd3f7034
SHA12ce950a91eab477a604411b3414d8b0bd3fcf16d
SHA256994e933d75a5ffb6ed0a4f55491d6d75b65e447b228a1db35f6a46a86fc61608
SHA512cb360c62a3eb6c48407e3676e9c757a6f865fb627fa90c9c810ec5b39ba26115f2311c3330536d21e763c8313bfa3f21b07b7880e99f94a7d68efd0f958516d1
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ssu2x5r0.5rm.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.batFilesize
56B
MD5a0c7b9d5468ff24c5ea978a787696f1b
SHA1b73256c51fa5fc886f28b6f1193c6fe543d0d176
SHA2567309215c384623f6224c82c86e2138e05f68853db94d0051ad8f2981a37ef7ac
SHA5122e8c66c2774c6c0672c29ebc994f5d948592930efb779d3a278a4ca7480ffed45b459540f606e00bf697a5d800eb9daff545d522bca0c606e0fe4831e864c374
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbeFilesize
223B
MD5075e93b781fb11ad83e20a08f3bf47d5
SHA16cfa7422a59ee90266d454e8f31814ed7c2c50e4
SHA25639e13b9cae5ee397eadd2c65f7f587da89f7f2c3e113a914ffc08d6463d8afd0
SHA5121876cb1d7ca0b25f0e4b3f664d83c19635fc16d99a21408e85a7f22791483850a94c721beb11e7fb32ef1fe048169548ac3ef7e8eb04256683b34b0687ba5a38
-
C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exeFilesize
955KB
MD5db30e8a595616d8f8bd597700cdfdf7b
SHA18a80a3e7744d57dff703f2ea5dc809725cf72f3e
SHA256edaf46b5f4a8014a979f695fb6282131a5c31a5976827a263ea89b2bab44374c
SHA512a51ff764fa4dbc347f379247896440e4eb1e2601386fa44a1a197ab620584d5baa02ad020298be5c79c0a4b530828b3e41d174b9518aa28ddd065857c6450f94
-
\??\pipe\LOCAL\crashpad_2176_HTYZHXSOQQXCGZUHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4524-15-0x0000000002700000-0x000000000270E000-memory.dmpFilesize
56KB
-
memory/4524-14-0x00000000026F0000-0x00000000026F8000-memory.dmpFilesize
32KB
-
memory/4524-13-0x0000000000260000-0x0000000000356000-memory.dmpFilesize
984KB
-
memory/4524-12-0x00007FFF5FEF3000-0x00007FFF5FEF5000-memory.dmpFilesize
8KB
-
memory/4524-16-0x0000000002710000-0x000000000271C000-memory.dmpFilesize
48KB
-
memory/4748-28-0x00000213F8670000-0x00000213F8692000-memory.dmpFilesize
136KB