dcrat | 34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AimWare.exe
Size

3.9MB
MD5

3fc02228a6229bc91c086bc24899361b
SHA1

3d33e93f771a1c77f2f01c2e15d52307f88d3bf0
SHA256

34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710
SHA512

1dbaeaa5855fca79ddb44f0570e5e4282347919d1629d32a6df1f9bce0f198e38ebb461f68518754116a3fa650e6e4f9541ff09ca067b10218962c162fd7ef99
SSDEEP

98304:Vbbzx+3YGfZNMGFWmkukCbYvziRNPRmB58hSKHO:Vd+1RNXFWuksaf7

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeComref.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeAimWare.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4436	schtasks.exe
2700	schtasks.exe
4856	schtasks.exe
4972	schtasks.exe
3636	schtasks.exe
216	schtasks.exe
1092	schtasks.exe
2524	schtasks.exe
3684	schtasks.exe
4372	schtasks.exe
844	schtasks.exe
1532	schtasks.exe
4692	schtasks.exe
2036	schtasks.exe
1576	schtasks.exe
4752	schtasks.exe
4796	schtasks.exe
4920	schtasks.exe
File created	C:\Windows\Panther\actionqueue\ebf1f9fa8afd6d	Comref.exe
3672	schtasks.exe
3256	schtasks.exe
4280	schtasks.exe
1392	schtasks.exe
4028	schtasks.exe
5040	schtasks.exe
4740	schtasks.exe
936	schtasks.exe
380	schtasks.exe
5024	schtasks.exe
1956	schtasks.exe
4728	schtasks.exe
File created	C:\Windows\en-US\eddb19405b7ce1	Comref.exe
216	schtasks.exe
2036	schtasks.exe
1392	schtasks.exe
4248	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AimWare.exe
4268	schtasks.exe
4980	schtasks.exe
3268	schtasks.exe
1252	schtasks.exe
5068	schtasks.exe
2376	schtasks.exe
4184	schtasks.exe
1764	schtasks.exe
1120	schtasks.exe
4440	schtasks.exe
3916	schtasks.exe
4268	schtasks.exe
2900	schtasks.exe
4288	schtasks.exe
436	schtasks.exe
620	schtasks.exe
1588	schtasks.exe
4276	schtasks.exe
3176	schtasks.exe
2488	schtasks.exe
2148	schtasks.exe
File created	C:\Windows\Setup\State\7a0fd90576e088	Comref.exe
3448	schtasks.exe
3328	schtasks.exe
4460	schtasks.exe
2012	schtasks.exe
4184	schtasks.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	2772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2772	schtasks.exe

UAC bypass 3 TTPs 21 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Comref.exeComref.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\BlockPortWinDhcp\Comref.exe	dcrat
behavioral2/memory/1860-17-0x0000000000250000-0x00000000005FC000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exedwm.exeAimWare.exeComref.exeComref.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	AimWare.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Comref.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Comref.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 7 IoCs

Processes:

Comref.exeComref.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid process

1860 Comref.exe
2536 Comref.exe
1536 dwm.exe
4484 dwm.exe
1360 dwm.exe
4984 dwm.exe
2536 dwm.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exeComref.exedwm.exedwm.exedwm.exeComref.exedwm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Comref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Comref.exe

Drops file in Program Files directory 13 IoCs

Processes:

Comref.exeComref.exe

description	ioc	process
File created	C:\Program Files\Windows Photo Viewer\fr-FR\upfc.exe	Comref.exe
File created	C:\Program Files (x86)\Adobe\Registry.exe	Comref.exe
File opened for modification	C:\Program Files (x86)\Adobe\Registry.exe	Comref.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\spoolsv.exe	Comref.exe
File created	C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe	Comref.exe
File created	C:\Program Files (x86)\Adobe\ee2ad38f3d4382	Comref.exe
File created	C:\Program Files\Windows Multimedia Platform\5b884080fd4f94	Comref.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\ea1d8f6d871115	Comref.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\f3b6ecef712a24	Comref.exe
File created	C:\Program Files\7-Zip\Lang\sppsvc.exe	Comref.exe
File created	C:\Program Files\7-Zip\Lang\0a1fd5f707cd16	Comref.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe	Comref.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\38384e6a620884	Comref.exe

Drops file in Windows directory 13 IoCs

Processes:

Comref.exeComref.exe

description	ioc	process
File created	C:\Windows\Panther\actionqueue\cmd.exe	Comref.exe
File created	C:\Windows\Setup\State\7a0fd90576e088	Comref.exe
File created	C:\Windows\en-US\backgroundTaskHost.exe	Comref.exe
File created	C:\Windows\en-US\eddb19405b7ce1	Comref.exe
File created	C:\Windows\SchCache\dwm.exe	Comref.exe
File created	C:\Windows\SchCache\6cb0b6c459d5d3	Comref.exe
File created	C:\Windows\de-DE\dwm.exe	Comref.exe
File created	C:\Windows\Panther\actionqueue\ebf1f9fa8afd6d	Comref.exe
File created	C:\Windows\IdentityCRL\INT\dllhost.exe	Comref.exe
File created	C:\Windows\de-DE\6cb0b6c459d5d3	Comref.exe
File created	C:\Windows\IdentityCRL\INT\5940a34987c991	Comref.exe
File created	C:\Windows\Setup\State\explorer.exe	Comref.exe
File created	C:\Windows\Speech\Engines\SR\en-US\RuntimeBroker.exe	Comref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WScript.execmd.exereg.exeAimWare.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AimWare.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 7 IoCs

Processes:

dwm.exedwm.exedwm.exedwm.exeAimWare.exeComref.exedwm.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	AimWare.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	Comref.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	dwm.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4756 reg.exe

pid	process
4756	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
844	schtasks.exe
4372	schtasks.exe
4752	schtasks.exe
436	schtasks.exe
3916	schtasks.exe
4752	schtasks.exe
1092	schtasks.exe
3684	schtasks.exe
4184	schtasks.exe
4248	schtasks.exe
2524	schtasks.exe
436	schtasks.exe
1960	schtasks.exe
216	schtasks.exe
1956	schtasks.exe
4980	schtasks.exe
5040	schtasks.exe
4740	schtasks.exe
1576	schtasks.exe
4184	schtasks.exe
1252	schtasks.exe
4276	schtasks.exe
2036	schtasks.exe
4460	schtasks.exe
4972	schtasks.exe
216	schtasks.exe
4796	schtasks.exe
3268	schtasks.exe
3232	schtasks.exe
4536	schtasks.exe
4244	schtasks.exe
2052	schtasks.exe
2036	schtasks.exe
1392	schtasks.exe
1452	schtasks.exe
2052	schtasks.exe
4288	schtasks.exe
3696	schtasks.exe
620	schtasks.exe
5064	schtasks.exe
2376	schtasks.exe
2900	schtasks.exe
1816	schtasks.exe
4268	schtasks.exe
2524	schtasks.exe
948	schtasks.exe
2596	schtasks.exe
4692	schtasks.exe
2392	schtasks.exe
5024	schtasks.exe
4012	schtasks.exe
5068	schtasks.exe
2132	schtasks.exe
3256	schtasks.exe
1120	schtasks.exe
3176	schtasks.exe
1592	schtasks.exe
2012	schtasks.exe
4780	schtasks.exe
4280	schtasks.exe
4268	schtasks.exe
952	schtasks.exe
1532	schtasks.exe
1764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Comref.exeComref.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	process
1860	Comref.exe
1860	Comref.exe
1860	Comref.exe
1860	Comref.exe
1860	Comref.exe
1860	Comref.exe
1860	Comref.exe
1860	Comref.exe
1860	Comref.exe
1860	Comref.exe
1860	Comref.exe
1860	Comref.exe
2536	Comref.exe
2536	Comref.exe
2536	Comref.exe
2536	Comref.exe
2536	Comref.exe
1536	dwm.exe
4484	dwm.exe
1360	dwm.exe
4984	dwm.exe
2536	dwm.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Comref.exeComref.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	1860	Comref.exe
Token: SeDebugPrivilege	2536	Comref.exe
Token: SeDebugPrivilege	1536	dwm.exe
Token: SeDebugPrivilege	4484	dwm.exe
Token: SeDebugPrivilege	1360	dwm.exe
Token: SeDebugPrivilege	4984	dwm.exe
Token: SeDebugPrivilege	2536	dwm.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

AimWare.exeWScript.execmd.exeComref.execmd.exeComref.exedwm.exeWScript.exedwm.exeWScript.exedwm.exeWScript.exedwm.exeWScript.exedwm.exe

description	pid	process	target process
PID 2460 wrote to memory of 3512	2460	AimWare.exe	WScript.exe
PID 2460 wrote to memory of 3512	2460	AimWare.exe	WScript.exe
PID 2460 wrote to memory of 3512	2460	AimWare.exe	WScript.exe
PID 2460 wrote to memory of 652	2460	AimWare.exe	WScript.exe
PID 2460 wrote to memory of 652	2460	AimWare.exe	WScript.exe
PID 2460 wrote to memory of 652	2460	AimWare.exe	WScript.exe
PID 3512 wrote to memory of 4772	3512	WScript.exe	cmd.exe
PID 3512 wrote to memory of 4772	3512	WScript.exe	cmd.exe
PID 3512 wrote to memory of 4772	3512	WScript.exe	cmd.exe
PID 4772 wrote to memory of 1860	4772	cmd.exe	Comref.exe
PID 4772 wrote to memory of 1860	4772	cmd.exe	Comref.exe
PID 1860 wrote to memory of 4676	1860	Comref.exe	cmd.exe
PID 1860 wrote to memory of 4676	1860	Comref.exe	cmd.exe
PID 4772 wrote to memory of 4756	4772	cmd.exe	reg.exe
PID 4772 wrote to memory of 4756	4772	cmd.exe	reg.exe
PID 4772 wrote to memory of 4756	4772	cmd.exe	reg.exe
PID 4676 wrote to memory of 4716	4676	cmd.exe	w32tm.exe
PID 4676 wrote to memory of 4716	4676	cmd.exe	w32tm.exe
PID 4676 wrote to memory of 2536	4676	cmd.exe	Comref.exe
PID 4676 wrote to memory of 2536	4676	cmd.exe	Comref.exe
PID 2536 wrote to memory of 1536	2536	Comref.exe	dwm.exe
PID 2536 wrote to memory of 1536	2536	Comref.exe	dwm.exe
PID 1536 wrote to memory of 4304	1536	dwm.exe	WScript.exe
PID 1536 wrote to memory of 4304	1536	dwm.exe	WScript.exe
PID 1536 wrote to memory of 3940	1536	dwm.exe	WScript.exe
PID 1536 wrote to memory of 3940	1536	dwm.exe	WScript.exe
PID 4304 wrote to memory of 4484	4304	WScript.exe	dwm.exe
PID 4304 wrote to memory of 4484	4304	WScript.exe	dwm.exe
PID 4484 wrote to memory of 1916	4484	dwm.exe	WScript.exe
PID 4484 wrote to memory of 1916	4484	dwm.exe	WScript.exe
PID 4484 wrote to memory of 1420	4484	dwm.exe	WScript.exe
PID 4484 wrote to memory of 1420	4484	dwm.exe	WScript.exe
PID 1916 wrote to memory of 1360	1916	WScript.exe	dwm.exe
PID 1916 wrote to memory of 1360	1916	WScript.exe	dwm.exe
PID 1360 wrote to memory of 1884	1360	dwm.exe	WScript.exe
PID 1360 wrote to memory of 1884	1360	dwm.exe	WScript.exe
PID 1360 wrote to memory of 2056	1360	dwm.exe	WScript.exe
PID 1360 wrote to memory of 2056	1360	dwm.exe	WScript.exe
PID 1884 wrote to memory of 4984	1884	WScript.exe	dwm.exe
PID 1884 wrote to memory of 4984	1884	WScript.exe	dwm.exe
PID 4984 wrote to memory of 4004	4984	dwm.exe	WScript.exe
PID 4984 wrote to memory of 4004	4984	dwm.exe	WScript.exe
PID 4984 wrote to memory of 3476	4984	dwm.exe	WScript.exe
PID 4984 wrote to memory of 3476	4984	dwm.exe	WScript.exe
PID 4004 wrote to memory of 2536	4004	WScript.exe	dwm.exe
PID 4004 wrote to memory of 2536	4004	WScript.exe	dwm.exe
PID 2536 wrote to memory of 4076	2536	dwm.exe	WScript.exe
PID 2536 wrote to memory of 4076	2536	dwm.exe	WScript.exe
PID 2536 wrote to memory of 4428	2536	dwm.exe	WScript.exe
PID 2536 wrote to memory of 4428	2536	dwm.exe	WScript.exe

System policy modification 1 TTPs 21 IoCs

evasion

Modify Registry

T1112

Processes:

Comref.exedwm.exedwm.exedwm.exedwm.exedwm.exeComref.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AimWare.exe
"C:\Users\Admin\AppData\Local\Temp\AimWare.exe"
1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BlockPortWinDhcp\pIqe6hsiC.vbe"
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\BlockPortWinDhcp\RuejCowmnwM9YNHuglg.bat" "
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772

C:\BlockPortWinDhcp\Comref.exe
"C:\BlockPortWinDhcp\Comref.exe"
4⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mLMQ0SJNHD.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:4716

C:\BlockPortWinDhcp\Comref.exe
"C:\BlockPortWinDhcp\Comref.exe"
6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2536

C:\BlockPortWinDhcp\dwm.exe
"C:\BlockPortWinDhcp\dwm.exe"
7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5633e4d-6332-47f7-8b34-3f25386c91a0.vbs"
8⤵
- Suspicious use of WriteProcessMemory
PID:4304

C:\BlockPortWinDhcp\dwm.exe
C:\BlockPortWinDhcp\dwm.exe
9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4484

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44c1429e-292b-4ec9-a6a4-0c73c4e5b5ec.vbs"
10⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\BlockPortWinDhcp\dwm.exe
C:\BlockPortWinDhcp\dwm.exe
11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1360

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f2a9ad2-4514-45be-a4ce-2435e5f2dac8.vbs"
12⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\BlockPortWinDhcp\dwm.exe
C:\BlockPortWinDhcp\dwm.exe
13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4984

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de5a952d-0abb-40f3-8aee-3a038ce84799.vbs"
14⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\BlockPortWinDhcp\dwm.exe
C:\BlockPortWinDhcp\dwm.exe
15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa4e1113-4626-43b3-b219-ea300dd9d314.vbs"
16⤵
PID:4076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c9b1ec0-fcf6-4eb1-9502-9a094b5f75cb.vbs"
16⤵
PID:4428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\483c74b7-7212-4701-9df7-be3c10e5acf9.vbs"
14⤵
PID:3476

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12156b34-f530-4734-bdfb-a154b19d1b1d.vbs"
12⤵
PID:2056

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9822b231-b961-469c-9b9e-e7c720bf008d.vbs"
10⤵
PID:1420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15297baa-e983-48ba-99fa-c2ae8ace975f.vbs"
8⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BlockPortWinDhcp\file.vbs"
2⤵
- System Location Discovery: System Language Discovery
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\SchCache\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SendTo\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\SendTo\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\actionqueue\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\actionqueue\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Libraries\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\IdentityCRL\INT\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\INT\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\include\win32\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\include\win32\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk-1.8\include\win32\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Setup\State\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\BlockPortWinDhcp\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\BlockPortWinDhcp\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\BlockPortWinDhcp\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\BlockPortWinDhcp\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\BlockPortWinDhcp\dllhost.exe'" /f
1⤵
- DcRat
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\BlockPortWinDhcp\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\BlockPortWinDhcp\sppsvc.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\BlockPortWinDhcp\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\upfc.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\upfc.exe'" /rl HIGHEST /f
1⤵
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\BlockPortWinDhcp\dwm.exe'" /f
1⤵
- DcRat
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\BlockPortWinDhcp\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockPortWinDhcp\Comref.exe
Filesize
3.6MB

MD5
020fcee4acad7e7412ad0f27501ae749

SHA1
4282618cca56b75eb3921653c5daa2137eaa5ffa

SHA256
40ddad4ca2337022808328174ced0149caa955dcdf7a3b9eaf062818ffa43669

SHA512
e6c6749f7b8a67a5acc4910ccb59931582cb929392f7647f51d7d133cec3980375edc7d56be4d5cbac0f1d0ab1e46204b46b7349980aedaeb5a680a745fd7f9f

Download Submit
C:\BlockPortWinDhcp\RuejCowmnwM9YNHuglg.bat
Filesize
144B

MD5
ce3dd3c96548149537e6d3a679917a26

SHA1
0faba6346d98fe426902f01be3337bdb700bb4fa

SHA256
3d7dfa7a908d3eef1344c70e6ea39e14dba844fcc727fc6b2d4f07f488303c7c

SHA512
7326f45903c3eca92bc3de0ee50f13042f3f6cc6494da0273ba65a53308ba63b7607ac7f6b27dba20e649717781fc90254173ffd837fd7d98f21aa211f3af23d

Download Submit
C:\BlockPortWinDhcp\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\BlockPortWinDhcp\pIqe6hsiC.vbe
Filesize
209B

MD5
fe9707d9d0f3a70f1672c83f8ab78cab

SHA1
4d25ca2d7b215e7757eec53b2c55060756cf3fc0

SHA256
e50eaf2ab143000660efab3e91bef57d2407c372820d022a10dac8c06e0c8e99

SHA512
fab4bbb58aa50e636fb553fc9d01fa69ad63fbdf7e7d677ed8b7b29838ed9525489d871af2e7c3b5b7e6afb34f79fb2ad7ef0897f4b8ad52d887c4ab096a84e0

Download Submit
C:\Recovery\WindowsRE\7a0fd90576e088
Filesize
641B

MD5
66ad88311901cbe39ee520db1b11d22e

SHA1
39936b79d8ed6dbd4d1a0b8d4add068ffbac55e8

SHA256
89bb7d885e752c15cf78459dabaf3065f191cbb0b753f2abba1c0353c157d166

SHA512
c66b3478edd5926897595c77322b45437991c15612c286eb90ad1df6201d14e8e2c89c38924666d04e47f75216b6dac94e68cc3328eabb7ee1cdc5d35ad8adf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Comref.exe.log
Filesize
1KB

MD5
655010c15ea0ca05a6e5ddcd84986b98

SHA1
120bf7e516aeed462c07625fbfcdab5124ad05d3

SHA256
2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14

SHA512
e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log
Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\15297baa-e983-48ba-99fa-c2ae8ace975f.vbs
Filesize
479B

MD5
40330867b9c8c268cb2c7afc635d1a2c

SHA1
2fe99215d5bf4c2d27c37a429503805d467a8d14

SHA256
03d5eca96760445e1840abe538e4e2623d41378c57210e21b161fb2ed0b64574

SHA512
6fb5833552d93fc8b5ed40325760ef805f09ebdd6acc7e9ebe8430c1cbc1d6a30989d89ca22be1f300276a9b98975fefe253c25958ac88604b46436b2c54bf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\44c1429e-292b-4ec9-a6a4-0c73c4e5b5ec.vbs
Filesize
703B

MD5
ebfff92de872bf659e9c0a16cf41c751

SHA1
c1a643e1ed2aa25d50cbb8cd3de296a97bd2054b

SHA256
b4253a298153905cd9ef40893b081ba541a670a3e991a50967f2fe095827d89b

SHA512
9cff126823a162fa78a311a14e1091c9db5928edbc3aacf97b0aa4da57e6cb56790422f032e6807c7d4f1fa2423fa6a84bfe281c00aa4477b3ae18f2201c4acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f2a9ad2-4514-45be-a4ce-2435e5f2dac8.vbs
Filesize
703B

MD5
84cac2a3651cccff837334efd0263449

SHA1
7ea6961bc81bdc4d3e6158cb463c3cbff791b708

SHA256
ac385dd886710bd8422b9d60e82ccee3e6e547f56e918663201cfd4b106f64df

SHA512
67b7f854fcb18869dc6eaaff69880c443c0492bdbcf47863907817231737ebb5f293a203c182a4436763cb68297f454abf6925d19154e00dc937a9c8c74d2a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\81340e86b1b84f0e04a3ba143cd0ff4c5f94b42f.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa4e1113-4626-43b3-b219-ea300dd9d314.vbs
Filesize
703B

MD5
44538f85ef7b319d371a9a8e0ded9126

SHA1
91e755a3aba20f4c94194b175675a229b8647d18

SHA256
1339137ba976a67c103bf3c048d9e18776d5a4267935fb47c049a117550d4f15

SHA512
0d27a2ad12d59c6774e272a9ff06b86136b5298ff054fb373b3e79f46d142cfc22c198ea5e1fa3b097cb5f558c51f3e903edb8d64c8a5ecbcc69a61b7958d21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5633e4d-6332-47f7-8b34-3f25386c91a0.vbs
Filesize
703B

MD5
e2221cce61901bfe8f70d859933d1334

SHA1
1e0ebf5db5031059afcda61a8f01f771e6b7c0c6

SHA256
4a15e451462f1e7caa065a63962d3ffd229d0b35e6c71cc77cbea4850fba90fc

SHA512
f7e5001e6729388b9fb9512c03c3975d7b9090b2b20088fa9cbc5f7e99b38fd90b0394d7d62e60b5155b98b927b8935f7bcd5d38401fb2f311c3782c30682ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\de5a952d-0abb-40f3-8aee-3a038ce84799.vbs
Filesize
703B

MD5
94e3869ef27131f1e9ada1f3bdb48fe8

SHA1
382cd411a2cd226b9fc8bbdad9c01468afe3fcd3

SHA256
0306445eae843e7fe267f3e0ad2fd83b0a4c20d519c580370c59a4c9499e05b6

SHA512
0e119c7a99ef715d84cf3ff37e3e13887df052fcca5f003666e9d99b37a34df16c7f87cf8dddb64f01041fbf20ba45f46becb42ad493f2ab4a89b100c95a18be

Download Submit
C:\Users\Admin\AppData\Local\Temp\mLMQ0SJNHD.bat
Filesize
195B

MD5
2ce9ec8e92bfa4f89a0d478d7cf28269

SHA1
cf0fe76d7ef08b77168483bc639c36b36640a520

SHA256
2f04d397b82a7ca50126b1e7e9981bb3e911ae1101ee32c062ea48d7dcb1b1c4

SHA512
94181f7425b0f0d47931e6dc2908c7ff55b85584c61171af3848061bb76365b0d87aeb0becd56b5ce84e331aacd896d9d941c222abdeb632c4550a3bb792a4e6

Download Submit
memory/1860-33-0x000000001B220000-0x000000001B228000-memory.dmp

Filesize
32KB

Download
memory/1860-26-0x000000001B190000-0x000000001B1A2000-memory.dmp

Filesize
72KB

Download
memory/1860-34-0x000000001BB90000-0x000000001BB9E000-memory.dmp

Filesize
56KB

Download
memory/1860-29-0x00000000026A0000-0x00000000026A8000-memory.dmp

Filesize
32KB

Download
memory/1860-31-0x00000000026C0000-0x00000000026CA000-memory.dmp

Filesize
40KB

Download
memory/1860-30-0x00000000026B0000-0x00000000026B8000-memory.dmp

Filesize
32KB

Download
memory/1860-28-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1860-36-0x000000001BBC0000-0x000000001BBCA000-memory.dmp

Filesize
40KB

Download
memory/1860-37-0x000000001BBD0000-0x000000001BBDC000-memory.dmp

Filesize
48KB

Download
memory/1860-35-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

Filesize
32KB

Download
memory/1860-27-0x000000001C070000-0x000000001C598000-memory.dmp

Filesize
5.2MB

Download
memory/1860-32-0x000000001B210000-0x000000001B21E000-memory.dmp

Filesize
56KB

Download
memory/1860-17-0x0000000000250000-0x00000000005FC000-memory.dmp

Filesize
3.7MB

Download
memory/1860-25-0x000000001B180000-0x000000001B18C000-memory.dmp

Filesize
48KB

Download
memory/1860-24-0x000000001BAF0000-0x000000001BB46000-memory.dmp

Filesize
344KB

Download
memory/1860-22-0x0000000002760000-0x0000000002776000-memory.dmp

Filesize
88KB

Download
memory/1860-23-0x000000001B170000-0x000000001B17A000-memory.dmp

Filesize
40KB

Download
memory/1860-20-0x000000001B1C0000-0x000000001B210000-memory.dmp

Filesize
320KB

Download
memory/1860-21-0x0000000002750000-0x0000000002758000-memory.dmp

Filesize
32KB

Download
memory/1860-19-0x0000000002730000-0x000000000274C000-memory.dmp

Filesize
112KB

Download
memory/1860-18-0x0000000002670000-0x000000000267E000-memory.dmp

Filesize
56KB

Download
memory/2536-162-0x0000000003320000-0x0000000003376000-memory.dmp

Filesize
344KB

Download
memory/2536-80-0x000000001BDB0000-0x000000001BE06000-memory.dmp

Filesize
344KB

Download