dcrat | 2ccade19af05451b16b8d78777c2c6a778c8327009c0e4c9117224275a0758f6

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe
Size

3.9MB
MD5

3fc02228a6229bc91c086bc24899361b
SHA1

3d33e93f771a1c77f2f01c2e15d52307f88d3bf0
SHA256

34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710
SHA512

1dbaeaa5855fca79ddb44f0570e5e4282347919d1629d32a6df1f9bce0f198e38ebb461f68518754116a3fa650e6e4f9541ff09ca067b10218962c162fd7ef99
SSDEEP

98304:Vbbzx+3YGfZNMGFWmkukCbYvziRNPRmB58hSKHO:Vd+1RNXFWuksaf7

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	4176	schtasks.exe

UAC bypass 3 TTPs 18 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeComref.exeSearchApp.exeSearchApp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\BlockPortWinDhcp\Comref.exe	dcrat
behavioral2/memory/2116-17-0x0000000000B90000-0x0000000000F3C000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exeWScript.exeComref.exeSearchApp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Comref.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 6 IoCs

Processes:

Comref.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

pid process

2116 Comref.exe
1844 SearchApp.exe
3380 SearchApp.exe
4308 SearchApp.exe
2484 SearchApp.exe
1028 SearchApp.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Comref.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Drops file in Program Files directory 16 IoCs

Processes:

Comref.exe

description	ioc	process
File created	C:\Program Files\Crashpad\attachments\c5b4cb5e9653cc	Comref.exe
File created	C:\Program Files\7-Zip\spoolsv.exe	Comref.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\9e8d7a4ca61bd9	Comref.exe
File created	C:\Program Files\Microsoft Office\Office16\csrss.exe	Comref.exe
File created	C:\Program Files\Microsoft Office\Office16\886983d96e3d3e	Comref.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ebf1f9fa8afd6d	Comref.exe
File created	C:\Program Files\Crashpad\attachments\services.exe	Comref.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\RuntimeBroker.exe	Comref.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\csrss.exe	Comref.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\088424020bedd6	Comref.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\886983d96e3d3e	Comref.exe
File created	C:\Program Files (x86)\Windows Portable Devices\cmd.exe	Comref.exe
File created	C:\Program Files (x86)\Common Files\ee2ad38f3d4382	Comref.exe
File created	C:\Program Files\7-Zip\f3b6ecef712a24	Comref.exe
File created	C:\Program Files (x86)\Common Files\Registry.exe	Comref.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe	Comref.exe

Drops file in Windows directory 4 IoCs

Processes:

Comref.exe

description	ioc	process
File created	C:\Windows\apppatch\AppPatch64\unsecapp.exe	Comref.exe
File created	C:\Windows\apppatch\AppPatch64\29c1c3cc0f7685	Comref.exe
File created	C:\Windows\Setup\State\SearchApp.exe	Comref.exe
File created	C:\Windows\Setup\State\38384e6a620884	Comref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exereg.exe34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exeWScript.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 7 IoCs

Processes:

SearchApp.exe34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exeComref.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	Comref.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	SearchApp.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4544 reg.exe

pid	process
4544	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
628	schtasks.exe
2812	schtasks.exe
2364	schtasks.exe
1184	schtasks.exe
2024	schtasks.exe
880	schtasks.exe
436	schtasks.exe
3184	schtasks.exe
4536	schtasks.exe
4120	schtasks.exe
3292	schtasks.exe
2660	schtasks.exe
404	schtasks.exe
1220	schtasks.exe
4568	schtasks.exe
3808	schtasks.exe
3820	schtasks.exe
1008	schtasks.exe
876	schtasks.exe
4472	schtasks.exe
3380	schtasks.exe
4680	schtasks.exe
2756	schtasks.exe
2352	schtasks.exe
1916	schtasks.exe
1692	schtasks.exe
3224	schtasks.exe
1836	schtasks.exe
3812	schtasks.exe
3888	schtasks.exe
1624	schtasks.exe
3192	schtasks.exe
4572	schtasks.exe
3564	schtasks.exe
976	schtasks.exe
1100	schtasks.exe
4688	schtasks.exe
4568	schtasks.exe
4384	schtasks.exe
1924	schtasks.exe
3344	schtasks.exe
4580	schtasks.exe
4440	schtasks.exe
4948	schtasks.exe
3984	schtasks.exe
4692	schtasks.exe
556	schtasks.exe
4560	schtasks.exe
2088	schtasks.exe
1672	schtasks.exe
4788	schtasks.exe
1952	schtasks.exe
4332	schtasks.exe
2516	schtasks.exe
4548	schtasks.exe
4672	schtasks.exe
1820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

Comref.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

pid	process
2116	Comref.exe
2116	Comref.exe
2116	Comref.exe
2116	Comref.exe
2116	Comref.exe
2116	Comref.exe
1844	SearchApp.exe
3380	SearchApp.exe
4308	SearchApp.exe
2484	SearchApp.exe
1028	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Comref.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	pid	process
Token: SeDebugPrivilege	2116	Comref.exe
Token: SeDebugPrivilege	1844	SearchApp.exe
Token: SeDebugPrivilege	3380	SearchApp.exe
Token: SeDebugPrivilege	4308	SearchApp.exe
Token: SeDebugPrivilege	2484	SearchApp.exe
Token: SeDebugPrivilege	1028	SearchApp.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exeWScript.execmd.exeComref.execmd.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exe

description	pid	process	target process
PID 5028 wrote to memory of 1692	5028	34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe	WScript.exe
PID 5028 wrote to memory of 1692	5028	34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe	WScript.exe
PID 5028 wrote to memory of 1692	5028	34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe	WScript.exe
PID 5028 wrote to memory of 2140	5028	34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe	WScript.exe
PID 5028 wrote to memory of 2140	5028	34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe	WScript.exe
PID 5028 wrote to memory of 2140	5028	34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe	WScript.exe
PID 1692 wrote to memory of 1640	1692	WScript.exe	cmd.exe
PID 1692 wrote to memory of 1640	1692	WScript.exe	cmd.exe
PID 1692 wrote to memory of 1640	1692	WScript.exe	cmd.exe
PID 1640 wrote to memory of 2116	1640	cmd.exe	Comref.exe
PID 1640 wrote to memory of 2116	1640	cmd.exe	Comref.exe
PID 2116 wrote to memory of 1240	2116	Comref.exe	cmd.exe
PID 2116 wrote to memory of 1240	2116	Comref.exe	cmd.exe
PID 1640 wrote to memory of 4544	1640	cmd.exe	reg.exe
PID 1640 wrote to memory of 4544	1640	cmd.exe	reg.exe
PID 1640 wrote to memory of 4544	1640	cmd.exe	reg.exe
PID 1240 wrote to memory of 3304	1240	cmd.exe	w32tm.exe
PID 1240 wrote to memory of 3304	1240	cmd.exe	w32tm.exe
PID 1240 wrote to memory of 1844	1240	cmd.exe	SearchApp.exe
PID 1240 wrote to memory of 1844	1240	cmd.exe	SearchApp.exe
PID 1844 wrote to memory of 2124	1844	SearchApp.exe	WScript.exe
PID 1844 wrote to memory of 2124	1844	SearchApp.exe	WScript.exe
PID 1844 wrote to memory of 1916	1844	SearchApp.exe	WScript.exe
PID 1844 wrote to memory of 1916	1844	SearchApp.exe	WScript.exe
PID 2124 wrote to memory of 3380	2124	WScript.exe	SearchApp.exe
PID 2124 wrote to memory of 3380	2124	WScript.exe	SearchApp.exe
PID 3380 wrote to memory of 4480	3380	SearchApp.exe	WScript.exe
PID 3380 wrote to memory of 4480	3380	SearchApp.exe	WScript.exe
PID 3380 wrote to memory of 772	3380	SearchApp.exe	WScript.exe
PID 3380 wrote to memory of 772	3380	SearchApp.exe	WScript.exe
PID 4480 wrote to memory of 4308	4480	WScript.exe	SearchApp.exe
PID 4480 wrote to memory of 4308	4480	WScript.exe	SearchApp.exe
PID 4308 wrote to memory of 3224	4308	SearchApp.exe	WScript.exe
PID 4308 wrote to memory of 3224	4308	SearchApp.exe	WScript.exe
PID 4308 wrote to memory of 1172	4308	SearchApp.exe	WScript.exe
PID 4308 wrote to memory of 1172	4308	SearchApp.exe	WScript.exe
PID 3224 wrote to memory of 2484	3224	WScript.exe	SearchApp.exe
PID 3224 wrote to memory of 2484	3224	WScript.exe	SearchApp.exe
PID 2484 wrote to memory of 844	2484	SearchApp.exe	WScript.exe
PID 2484 wrote to memory of 844	2484	SearchApp.exe	WScript.exe
PID 2484 wrote to memory of 1444	2484	SearchApp.exe	WScript.exe
PID 2484 wrote to memory of 1444	2484	SearchApp.exe	WScript.exe
PID 844 wrote to memory of 1028	844	WScript.exe	SearchApp.exe
PID 844 wrote to memory of 1028	844	WScript.exe	SearchApp.exe
PID 1028 wrote to memory of 1440	1028	SearchApp.exe	WScript.exe
PID 1028 wrote to memory of 1440	1028	SearchApp.exe	WScript.exe
PID 1028 wrote to memory of 3544	1028	SearchApp.exe	WScript.exe
PID 1028 wrote to memory of 3544	1028	SearchApp.exe	WScript.exe

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeComref.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Comref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe
"C:\Users\Admin\AppData\Local\Temp\34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BlockPortWinDhcp\pIqe6hsiC.vbe"
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\BlockPortWinDhcp\RuejCowmnwM9YNHuglg.bat" "
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640

C:\BlockPortWinDhcp\Comref.exe
"C:\BlockPortWinDhcp\Comref.exe"
4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aCA1cwmlfC.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:3304

C:\Users\Public\AccountPictures\SearchApp.exe
"C:\Users\Public\AccountPictures\SearchApp.exe"
6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1844

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f6b762b-020d-45e3-bd6c-d4b1613375a0.vbs"
7⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Public\AccountPictures\SearchApp.exe
C:\Users\Public\AccountPictures\SearchApp.exe
8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3380

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\189a9588-f1b5-4d45-bcd2-281f5b9c0c64.vbs"
9⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Public\AccountPictures\SearchApp.exe
C:\Users\Public\AccountPictures\SearchApp.exe
10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4308

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\958d8094-4f28-43e2-9061-e7dca0785f64.vbs"
11⤵
- Suspicious use of WriteProcessMemory
PID:3224

C:\Users\Public\AccountPictures\SearchApp.exe
C:\Users\Public\AccountPictures\SearchApp.exe
12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2484

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f193fb04-ac5d-4a1c-b547-c400d1c081a1.vbs"
13⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Public\AccountPictures\SearchApp.exe
C:\Users\Public\AccountPictures\SearchApp.exe
14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1028

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57838f7f-231b-4668-996a-a6bf2c4ab781.vbs"
15⤵
PID:1440

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2da0456-de31-4092-bc85-e699a5d0b156.vbs"
15⤵
PID:3544

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dfecf91-bce6-42ea-b83d-2b5f94b04a32.vbs"
13⤵
PID:1444

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec42886d-4d42-4b46-80d0-5b638c03a1d5.vbs"
11⤵
PID:1172

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35d77886-3a8a-476d-bb63-9eab5b99833c.vbs"
9⤵
PID:772

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\828cd335-444a-40aa-a1a0-0927903a1d1a.vbs"
7⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4544

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BlockPortWinDhcp\file.vbs"
2⤵
- System Location Discovery: System Language Discovery
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\PrintHood\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\PrintHood\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\BlockPortWinDhcp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\BlockPortWinDhcp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\apppatch\AppPatch64\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\apppatch\AppPatch64\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\apppatch\AppPatch64\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\attachments\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\attachments\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Setup\State\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\State\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\BlockPortWinDhcp\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\BlockPortWinDhcp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\BlockPortWinDhcp\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\BlockPortWinDhcp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockPortWinDhcp\Comref.exe
Filesize
3.6MB

MD5
020fcee4acad7e7412ad0f27501ae749

SHA1
4282618cca56b75eb3921653c5daa2137eaa5ffa

SHA256
40ddad4ca2337022808328174ced0149caa955dcdf7a3b9eaf062818ffa43669

SHA512
e6c6749f7b8a67a5acc4910ccb59931582cb929392f7647f51d7d133cec3980375edc7d56be4d5cbac0f1d0ab1e46204b46b7349980aedaeb5a680a745fd7f9f

Download Submit
C:\BlockPortWinDhcp\RuejCowmnwM9YNHuglg.bat
Filesize
144B

MD5
ce3dd3c96548149537e6d3a679917a26

SHA1
0faba6346d98fe426902f01be3337bdb700bb4fa

SHA256
3d7dfa7a908d3eef1344c70e6ea39e14dba844fcc727fc6b2d4f07f488303c7c

SHA512
7326f45903c3eca92bc3de0ee50f13042f3f6cc6494da0273ba65a53308ba63b7607ac7f6b27dba20e649717781fc90254173ffd837fd7d98f21aa211f3af23d

Download Submit
C:\BlockPortWinDhcp\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\BlockPortWinDhcp\pIqe6hsiC.vbe
Filesize
209B

MD5
fe9707d9d0f3a70f1672c83f8ab78cab

SHA1
4d25ca2d7b215e7757eec53b2c55060756cf3fc0

SHA256
e50eaf2ab143000660efab3e91bef57d2407c372820d022a10dac8c06e0c8e99

SHA512
fab4bbb58aa50e636fb553fc9d01fa69ad63fbdf7e7d677ed8b7b29838ed9525489d871af2e7c3b5b7e6afb34f79fb2ad7ef0897f4b8ad52d887c4ab096a84e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log
Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\189a9588-f1b5-4d45-bcd2-281f5b9c0c64.vbs
Filesize
721B

MD5
136d98ab6a02b2a9fe66cb776935b04f

SHA1
914b68245b6b367514bd854bb890a635fbb1aca7

SHA256
154cbe597d09c0caafda8790604f54fed7db4755b6459a2644e9e0a620774aa4

SHA512
6a7b728d1958882c08480f6ea473decca4cf948df4cad24771e7a113dfaf4a527e207b6da2dad00d463bffa60383d0e13dede3e4211992048ddd755d6b2b4b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f6b762b-020d-45e3-bd6c-d4b1613375a0.vbs
Filesize
721B

MD5
5d5932c051ea926e921320af7ac2ee45

SHA1
e290beff42352253f4a3eb70103a6d8dd697d86c

SHA256
4289b8d2cb81c75378ce49a353ec8019b8cdaddf3bf2fb09a828c0121f024a9d

SHA512
7b7f15054b2c80d8740125a947210cd169c945bd4867caf3fe18bb156f40c250f8525d1b043959ba92769770902054601fada677cdf0fcbb9f9685773a58b5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\57838f7f-231b-4668-996a-a6bf2c4ab781.vbs
Filesize
721B

MD5
5758ac1bf0d8fb9db9a64293f5ed3236

SHA1
264b530db8cc494120771dc962603bd597d335b0

SHA256
d785c4f2d8c68e7ac167552f9363a9efa867af25a6a4b9d2c2637f649e2e41c8

SHA512
4a1cfe730ae604f5b1fd676ab0b41c9eba477f37efab58c7ba85448a205527274b89d47aa47a94f5484ad9e0d5de0715a17417b62e2f345ea1ae86219bb7a619

Download Submit
C:\Users\Admin\AppData\Local\Temp\828cd335-444a-40aa-a1a0-0927903a1d1a.vbs
Filesize
497B

MD5
fb713688090de728a1a65f795ef74735

SHA1
33e9b312c79b84450c1d5f0823494cba410dd707

SHA256
5ccb325ada26fba2109e08bdc63f7cb137c54a070dde5d7b9fd2612cce0c69d7

SHA512
4a8149f7731afc4efba906cd24e990eb62d971eb7ebcdef65dc9acf44e37782309d76dd3e5df5fadd213c1e39c66e3ec1f79e36cb5857c2cad471aaf9b70507c

Download Submit
C:\Users\Admin\AppData\Local\Temp\958d8094-4f28-43e2-9061-e7dca0785f64.vbs
Filesize
721B

MD5
b42519cff9c25ac6dc6ab1efeccb7cf3

SHA1
f6bef52ce8ee5b77b5ef218a98bbf24a171c1bf9

SHA256
bc253180085ac271e0029932fd68777bfa163f96457725970943245e20a629bf

SHA512
eb31f3dc1156e8832a12d35805ac17177dd565e23380a28abafd4e51e2b4b6389592e096e5cbcf70740dfa42d8b8e151634d78f7a8aad92c2a6bfa3133c03be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aCA1cwmlfC.bat
Filesize
210B

MD5
cf5ca8ca8311889b5a90899f2d6864f8

SHA1
73efae346da4c80a2eb1daeb26fbb28220a86620

SHA256
76bfac55bfd6f460e3f3a9d5a8266b7601180dfa03a0cde5c565cbe4ad0688e7

SHA512
8d0021926a491c34c7c25e22f9f5f748532392c0ab092798243e954249bc5ec158823c28bd20483b049daed42b830cd5e990f1bd48d867e35af53d287899ad40

Download Submit
C:\Users\Admin\AppData\Local\Temp\f193fb04-ac5d-4a1c-b547-c400d1c081a1.vbs
Filesize
721B

MD5
c30b64aad6b25b459bf570a90536758b

SHA1
d2eca722975c79bb8fee6abe15101208c85e09c1

SHA256
153e1702bb0475ead1677347ddf9a6447dcc1754015b25d84aeb7271716dfe42

SHA512
02cabfbe2d53ea934617778c4a0a4a754d88fe27badd47147fc385374d99fd5b5bba697da393bacbc1d475cb154095bed1a3d1cde95b3786a13fa18131c0f89f

Download Submit
memory/1844-86-0x000000001BF90000-0x000000001BFA2000-memory.dmp

Filesize
72KB

Download
memory/2116-23-0x0000000003160000-0x000000000316A000-memory.dmp

Filesize
40KB

Download
memory/2116-30-0x000000001BBF0000-0x000000001BC46000-memory.dmp

Filesize
344KB

Download
memory/2116-29-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

Filesize
32KB

Download
memory/2116-31-0x000000001BC40000-0x000000001BC48000-memory.dmp

Filesize
32KB

Download
memory/2116-35-0x000000001C4D0000-0x000000001C4DE000-memory.dmp

Filesize
56KB

Download
memory/2116-34-0x000000001C4C0000-0x000000001C4C8000-memory.dmp

Filesize
32KB

Download
memory/2116-33-0x000000001C4B0000-0x000000001C4BE000-memory.dmp

Filesize
56KB

Download
memory/2116-32-0x000000001C4A0000-0x000000001C4AA000-memory.dmp

Filesize
40KB

Download
memory/2116-37-0x000000001C500000-0x000000001C50A000-memory.dmp

Filesize
40KB

Download
memory/2116-36-0x000000001C4E0000-0x000000001C4E8000-memory.dmp

Filesize
32KB

Download
memory/2116-38-0x000000001C510000-0x000000001C51C000-memory.dmp

Filesize
48KB

Download
memory/2116-27-0x000000001C9D0000-0x000000001CEF8000-memory.dmp

Filesize
5.2MB

Download
memory/2116-28-0x0000000003390000-0x0000000003398000-memory.dmp

Filesize
32KB

Download
memory/2116-26-0x0000000003190000-0x00000000031A2000-memory.dmp

Filesize
72KB

Download
memory/2116-25-0x0000000003170000-0x000000000317C000-memory.dmp

Filesize
48KB

Download
memory/2116-24-0x00000000032D0000-0x0000000003326000-memory.dmp

Filesize
344KB

Download
memory/2116-22-0x0000000003140000-0x0000000003156000-memory.dmp

Filesize
88KB

Download
memory/2116-21-0x0000000001820000-0x0000000001828000-memory.dmp

Filesize
32KB

Download
memory/2116-17-0x0000000000B90000-0x0000000000F3C000-memory.dmp

Filesize
3.7MB

Download
memory/2116-20-0x0000000003320000-0x0000000003370000-memory.dmp

Filesize
320KB

Download
memory/2116-19-0x0000000001800000-0x000000000181C000-memory.dmp

Filesize
112KB

Download
memory/2116-18-0x00000000017F0000-0x00000000017FE000-memory.dmp

Filesize
56KB

Download
memory/2484-122-0x000000001B530000-0x000000001B586000-memory.dmp

Filesize
344KB

Download
memory/3380-99-0x000000001B450000-0x000000001B462000-memory.dmp

Filesize
72KB

Download