dcrat | dfe9f39426e9f5c49dfd52ec6dcf91a679af24d2e5a6119a139b9bdf1525655d

Resubmissions

23-01-2025 15:47

250123-s8nvfavjhw 10

23-01-2025 15:44

250123-s6ya4awkgr 10

23-01-2025 15:43

250123-s6b3vswkfl 10

Analysis

max time kernel
430s
max time network
431s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
23-01-2025 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

taskhostw.exe
Size

1.2MB
MD5

ac904ffc13b5f221270f475065687b59
SHA1

ed6b4383582eae7b72064a10e33cebc6fd3690e5
SHA256

963a316c03e4f88df946a43d537f6ed2d2001eaafcde40bdb52cd15104112606
SHA512

9626483209d8546c835c94cfffd89e1cf6ae813730d04dfdb9b4b4019e12ee0c9166fa76fb47426251f6e669d6c63037718ffb8c8366766cadca1a9f78c91559
SSDEEP

12288:URZ+IoG/n9IQxW3OBseUUT+tcYbqTHSOOJVu1SNEC8m+P1BAyrQ/ta3iruJtDwbD:u2G/nvxW3WieC2nOJVrj8m+aSDwbA9Nq

Score

10^/10

dcrat credential_access defense_evasion discovery infostealer persistence rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	wininit.exe

Process spawned unexpected child process 31 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5732	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5832	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	124	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5204	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2948	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	5256	schtasks.exe	113
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	5256	schtasks.exe	113
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	5256	schtasks.exe	113
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	5256	schtasks.exe	113

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x001a00000002ab8a-16.dat	dcrat
behavioral3/memory/1528-18-0x0000000000CC0000-0x0000000000DAC000-memory.dmp	dcrat

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
4144	wininit.exe

Executes dropped EXE 2 IoCs

pid	Process
1528	ComfontHost.exe
4144	wininit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComfontHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.22000.348_none_5e9c11248df37d0b\f\Desktop.ini	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.22000.348_none_d5c2f424027f1f86\f\Desktop.ini	wininit.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	wininit.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\resources.pri	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\StoreLogo.scale-400_contrast-white.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardActions.types.js	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib\IRawStyle.js	wininit.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\Images\NoConnection.scale-200.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-24.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\OutOfOffice.scale-150.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-200_contrast-black.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\Assets\GameBarNotificationLogo.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png	wininit.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll	wininit.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClientsideProviders.resources.dll	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\AboutAdsGenericBackgroundImage.jpg	wininit.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-96_altform-lightunplated.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\AboutAdsCoreBackgroundImage.jpg	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.targetsize-24.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-100_contrast-white.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-amd\extractStyleParts.js	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpAppList.targetsize-80_altform-lightunplated_contrast-black.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLargeTile.scale-200.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\LargeTile.scale-150.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsMedTile.scale-200_contrast-black.png	wininit.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\NotepadMedTile.scale-125.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-64_altform-unplated_contrast-black.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesSplashScreen.scale-200_contrast-black.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-80_altform-unplated.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorLargeTile.scale-125_contrast-black.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-250.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-30_altform-unplated.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\MarqueeSelection.js	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\SplitButton.js	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\Images\FileSway32x32.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Icons\StickyNotesBadgeLogo.scale-125_contrast-black.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\fi-FI\PAD.Console.Host.resources.dll	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-lightunplated.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-unplated.png	wininit.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado15.dll	wininit.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DetailsList\DetailsRow.types.js	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleStoreLogo.scale-100.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-lightunplated_contrast-white.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsAppList.scale-125.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-250.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-40_altform-unplated.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\SelectedItemsList.js	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\ResizeGroup.js	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-32_altform-unplated.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-150.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Xml.XmlDocument.dll	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-lightunplated_contrast-black.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-80.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_altform-unplated_contrast-white.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Net.WebHeaderCollection.dll	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.scale-150.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-32_altform-unplated_contrast-white.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png	wininit.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png	wininit.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-72_altform-unplated.png	wininit.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsn.dll	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Client-LanguagePack-Package-Wrapper~31bf3856ad364e35~amd64~bg-BG~10.0.22000.493.cat	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-ShellAPI-Package~31bf3856ad364e35~amd64~pl-PL~10.0.22000.469.cat	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-WinPE-AppxPackaging-Package~31bf3856ad364e35~amd64~sk-SK~10.0.22000.184.mum	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-mapi.resources_31bf3856ad364e35_10.0.22000.184_cs-cz_eca1d1a6bcf91ca5.manifest	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\f\i_resetSettings.png	wininit.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1040\cscui.dll	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~el-GR~10.0.22000.282.cat	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-EditionSpecific-Professional-Package~31bf3856ad364e35~amd64~pt-BR~10.0.22000.348.mum	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_th-th_b16776f8926eb568\f\DiagPackage.dll.mui	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-shell-setup_31bf3856ad364e35_10.0.22000.65_none_bec3c32039f2f769\f\shsetup.dll	wininit.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Hypervisor-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.mum	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.22000.493_sk-sk_ccb35fababccc3bf\f\license.rtf	wininit.exe
File opened for modification	C:\Windows\Fonts\cvgafix.fon	wininit.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\logo.targetsize-36_contrast-white.png	wininit.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorie.dll	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-propsys.resources_31bf3856ad364e35_7.0.22000.184_zh-tw_56b6e257472ab015.manifest	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-WinPE-Multilingual-Package-windows~31bf3856ad364e35~amd64~ca-ES~10.0.22000.348.mum	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-o..euapcommonproxystub_31bf3856ad364e35_10.0.22000.469_none_98556a1539f050eb.manifest	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..me-ppipro.resources_31bf3856ad364e35_10.0.22000.493_pl-pl_56ac0192c974fdd0\f\license.rtf	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..edia-base.resources_31bf3856ad364e35_10.0.22000.120_it-it_44e8f38af0f26591\f\wdsimage.dll.mui	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mfcore_31bf3856ad364e35_10.0.22000.493_none_ebf52e2fdc951f4b\f\mfps.dll	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.22000.132_el-gr_1e0238b2efc09d8d\f\WindowsInkWorkspace.adml	wininit.exe
File opened for modification	C:\Windows\Boot\EFI\it-IT\bootmgfw.efi.mui	wininit.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\System.Web.Services.Resources.dll	wininit.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\MSBuild.resources.dll	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..isesneval.resources_31bf3856ad364e35_10.0.22000.493_zh-cn_8e853e1c868dd5ef.manifest	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\WinPE-MDAC-Package-onecorewindows~31bf3856ad364e35~amd64~fi-FI~10.0.22000.348.cat	wininit.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.CompilerServices.VisualC.dll	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..olume-professionaln_31bf3856ad364e35_10.0.22000.493_none_e9d28ef4e6aa780d\f\license.rtf	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..rofessional-license_31bf3856ad364e35_10.0.22000.348_none_7744f0e97b18358e\f\Professional-Volume-CSVLK-3-ul-phn-rtm.xrm-ms	wininit.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-UX-UI-Client-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat	wininit.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\AppxPackageManager.adml	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-OneCore-Update-Ux-Core-Package~31bf3856ad364e35~amd64~pl-PL~10.0.22000.282.mum	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.22000.493_pt-pt_00784c521ebc945a\f\license.rtf	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\x86_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.22000.493_zh-tw_ebdb4f8a91e31b3a\f\license.rtf	wininit.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-VmTpm-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.mum	wininit.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\AudioDiagnosticUtil.dll	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-runtime-windows-media_31bf3856ad364e35_10.0.22000.282_none_428fbfe253d9a55e.manifest	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Editions-Professional-Package~31bf3856ad364e35~amd64~sv-SE~10.0.22000.493.cat	wininit.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr-FR\ServiceModelRegUI.dll.mui	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Help-ClientUA-ClientN-Package~31bf3856ad364e35~amd64~bg-BG~10.0.22000.469.cat	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\WinPE-Setup-Package-Wrapper~31bf3856ad364e35~amd64~sl-SI~10.0.22000.318.mum	wininit.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-LegacyChipset-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat	wininit.exe
File opened for modification	C:\Windows\Boot\EFI\nl-NL\bootmgfw.efi.mui	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mccs-syncres.resources_31bf3856ad364e35_10.0.22000.348_cs-cz_dbf891bf58d83a6b.manifest	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-EnterpriseClientSync-Host-Package~31bf3856ad364e35~amd64~~10.0.22000.100.mum	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..onaries-korean-main_31bf3856ad364e35_10.0.22000.348_none_a1ae9d327aab59e8\f\ExpressiveInput.0412.lex	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-winlogon-ext_31bf3856ad364e35_10.0.22000.434_none_7efe4992f8f9b8d7\f\winlogonext.dll	wininit.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat	wininit.exe
File opened for modification	C:\Windows\PolicyDefinitions\FileRevocation.admx	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..i-pcshell.resources_31bf3856ad364e35_10.0.22000.184_gl-es_178c7fd6065e0e41\f\twinui.pcshell.dll.mui	wininit.exe
File opened for modification	C:\Windows\servicing\Packages\Containers-Client-Guest-Package~31bf3856ad364e35~amd64~~10.0.22000.318.mum	wininit.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\SOS.dll	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.22000.493_pt-br_289a03494621e028.manifest	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-OneCore-Update-Ux-Core-Package~31bf3856ad364e35~amd64~sv-SE~10.0.22000.282.mum	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-ActiveDirectory-DS-LDS-Tools-FoD-Package-Wrapper~31bf3856ad364e35~amd64~cs-CZ~10.0.22000.434.cat	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-OneCore-Containers-Opt-Package~31bf3856ad364e35~amd64~da-DK~10.0.22000.37.cat	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..-csvlk-pack-license_31bf3856ad364e35_10.0.22000.100_none_649f7315a9b15a38\f\csvlk-pack-Volume-CSVLK-1-ul-oob-rtm.xrm-ms	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-twinui.resources_31bf3856ad364e35_10.0.22000.184_fr-ca_c4ce1a871edc3b44\f\twinui.dll.mui	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.22000.493_pt-br_7b97c5fba64fb582.manifest	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_10.0.22000.348_fr-fr_241d0cd98afe3495.manifest	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Foundation-Group-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.434.cat	wininit.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Spelling-Dictionaries-tk-tm-Package~31bf3856ad364e35~amd64~~10.0.22000.348.mum	wininit.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4564	schtasks.exe
2432	schtasks.exe
1220	schtasks.exe
1256	schtasks.exe
4748	schtasks.exe
5204	schtasks.exe
1652	schtasks.exe
1640	schtasks.exe
3908	schtasks.exe
1156	schtasks.exe
1248	schtasks.exe
3012	schtasks.exe
4296	schtasks.exe
4160	schtasks.exe
2396	schtasks.exe
4704	schtasks.exe
4740	schtasks.exe
4528	schtasks.exe
1500	schtasks.exe
5832	schtasks.exe
124	schtasks.exe
1624	schtasks.exe
1924	schtasks.exe
5732	schtasks.exe
4516	schtasks.exe
3792	schtasks.exe
2356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1528	ComfontHost.exe
1528	ComfontHost.exe
1528	ComfontHost.exe
1528	ComfontHost.exe
1528	ComfontHost.exe
4144	wininit.exe
4144	wininit.exe
4144	wininit.exe
4144	wininit.exe
4144	wininit.exe
4144	wininit.exe
4144	wininit.exe
4144	wininit.exe
4144	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	ComfontHost.exe
Token: SeDebugPrivilege	4144	wininit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
688	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5544 wrote to memory of 3992	5544	taskhostw.exe	77
PID 5544 wrote to memory of 3992	5544	taskhostw.exe	77
PID 5544 wrote to memory of 3992	5544	taskhostw.exe	77
PID 3992 wrote to memory of 1496	3992	WScript.exe	80
PID 3992 wrote to memory of 1496	3992	WScript.exe	80
PID 3992 wrote to memory of 1496	3992	WScript.exe	80
PID 1496 wrote to memory of 1528	1496	cmd.exe	82
PID 1496 wrote to memory of 1528	1496	cmd.exe	82
PID 1528 wrote to memory of 4144	1528	ComfontHost.exe	111
PID 1528 wrote to memory of 4144	1528	ComfontHost.exe	111
PID 4144 wrote to memory of 3108	4144	wininit.exe	118
PID 4144 wrote to memory of 3108	4144	wininit.exe	118
PID 3108 wrote to memory of 844	3108	cmd.exe	120
PID 3108 wrote to memory of 844	3108	cmd.exe	120

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\taskhostw.exe
"C:\Users\Admin\AppData\Local\Temp\taskhostw.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5544
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BlockBrowserWeb\73WPTP5CgKBkfusL13FoS1EalfC.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BlockBrowserWeb\JLBdH8Facv2OZKr8pY7k2gD8clI.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\BlockBrowserWeb\ComfontHost.exe
      "C:\BlockBrowserWeb\ComfontHost.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1528
    - - C:\Program Files\Uninstall Information\wininit.exe
        
        "C:\Program Files\Uninstall Information\wininit.exe"
        5⤵
        Modifies WinLogon for persistence
        UAC bypass
        Deletes itself
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops desktop.ini file(s)
        Drops autorun.inf file
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4144
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:844

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\BlockBrowserWeb\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\BlockBrowserWeb\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\BlockBrowserWeb\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\BlockBrowserWeb\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\BlockBrowserWeb\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\BlockBrowserWeb\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\NetSetup\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Logs\NetSetup\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\NetSetup\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\BlockBrowserWeb\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\BlockBrowserWeb\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\BlockBrowserWeb\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "wininit" /f
1⤵
- Process spawned unexpected child process
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "wininitw" /f
1⤵
- Process spawned unexpected child process
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "wininit" /f
1⤵
- Process spawned unexpected child process
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "wininitw" /f
1⤵
- Process spawned unexpected child process
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockBrowserWeb\6203df4a6bafc7

Filesize
319B

MD5
5228c7cc1ec096c1f0e26c8efbdc917a

SHA1
95fae8ecf687469de34ce8a88e176e97c699c8ae

SHA256
9733308b970948db9b0c81918ee36d7f90122471e2ad71ba11654a4966a6ddd8

SHA512
29e405ca8759d4af4d504275d27d1b39f766fe4ca1a081f9ff3afafba259565e5e7c8ce0ca0e6ab57475c8b0276dc593708a163cc4ebdc76f9d5ebaa38bb2777

Download Submit
C:\BlockBrowserWeb\73WPTP5CgKBkfusL13FoS1EalfC.vbe

Filesize
230B

MD5
fdf72c94be3290267c930fab28fbd800

SHA1
a0e186ec44952baf296acd483f25327b0c6f33dd

SHA256
4eead935013d583296ca49f8fc8b70d38b7c32e1189204629f33cead574e2dd1

SHA512
a59b3fe649739e5d61d116149011f8d0f19ed8b217134aabb3f2c698dd52a5ccc4b67414209772be48fe4477158ffa7ebb2097280dccf1607955f1a95d264634

Download Submit
C:\BlockBrowserWeb\886983d96e3d3e

Filesize
493B

MD5
b180053abe6d78d65d8e179fb644ea35

SHA1
ebe99511754e4c52dfc7b6cae5a5474f8790014d

SHA256
3306ceb030e2bf0cb9728caeaf2a105bee51a70f5a080360a2a65ee86d12edfa

SHA512
c8f32d9fc7ee33ae64980c265eb5a7fae4f93832c8f80eae36b0d6c2550ffa8f31ff8fdc94dafccdf1c41818b659044800ea4b1814ecff6edd0b11e2f4d5205f

Download Submit
C:\BlockBrowserWeb\ComfontHost.exe

Filesize
911KB

MD5
082141e65f26ececc48552790d6c6da4

SHA1
fba9667158632e2dbfa128d1fa1bd4be282e773a

SHA256
b49adf276a5e055ef1a3685f032701b41be76177f7f9eb85dfac2d33b5fa7c9f

SHA512
cbe0fef685801d436b5637a0e08df052af119284491a382d689686735ee8352d3edaa6857754f16f022a0bb43f95039bc841e4ed1e20614ea0a9976258947946

Download Submit
C:\BlockBrowserWeb\JLBdH8Facv2OZKr8pY7k2gD8clI.bat

Filesize
47B

MD5
68411cfd82c251c57e0fd3e2b6e7af03

SHA1
26b09d13a90b0e662d57c59dc903db51dd11a177

SHA256
0f31379f24cbc2ab580f9b2f77e4fa36123a732377be53d88c28546228e106d7

SHA512
78ba2559d614ed0dbcc2e32a5f6b9ef3d3585df4cc515728ff4cccdefbd00b50f3e34774af016a5fc9f8320ff48e963bc76f9c7b04e80ad69a43eef9c18f2f2a

Download Submit
C:\BlockBrowserWeb\e1ef82546f0b02

Filesize
87B

MD5
db80245a3363a1bc0c76ee7675ee8d66

SHA1
5056661a23216f66c9ed40935142971be62c0527

SHA256
e26f64e7a9f0e8a4fa516de0845dbaee56d97a2de29c37f51021d6933fc98356

SHA512
f5d820f954d346666ec153da1cce75313212228529247e3afd3276a81c2f13988515c5ed3d8bb514ae4c9d57010bdc1931b3af6febe4f1146a336e4faefc2426

Download Submit
C:\Program Files (x86)\Internet Explorer\cc11b995f2a76d

Filesize
460B

MD5
d68340c374a0587758727fdfea01f124

SHA1
2ffcacd105fe4550cf4be8acff9cdac9e6d7eb39

SHA256
ee894c04d42716c40c6e84f666ec29eb9cf51c8bab43a41d7cf1650de2ff2fa3

SHA512
8b1c730d321ae7190b4fe929a2a57ff0e942abb4967071df175413830ae6e227e3f7498800b6556f0aa2767c227ad2918b94a59849faa298f77f4a9b7004d232

Download Submit
C:\Program Files (x86)\Windows Media Player\e6c9b481da804f

Filesize
307B

MD5
27d7712c601cf7663e1b8374bd35308f

SHA1
f8aef2cee1859c4d0ec8453eb3656cabd5ccabdc

SHA256
61fa3c041c843796a12c5a97452eb23281fb2eaa99b7ea065ce8a2fd6c273a57

SHA512
9d3cb32267d4fbbd7370dcf1113d7fa4c2502b0312cacd1c32267ee243beebedc5dd38e976a60d508a83b198a07051266da523a32fdd0bc8f5212a4fb8946de5

Download Submit
C:\Program Files\Internet Explorer\it-IT\886983d96e3d3e

Filesize
389B

MD5
fd9989f5e7a616d516e4d78ff988afed

SHA1
bbf09da68a43d191a64ea343fcb73f9e47f96f95

SHA256
a196f0c655d53412765f4b755d2744fc579761b77f944fa8be5ef5a0665e3ef2

SHA512
b89ccca111a065c94d11873e1b09df1ef58a58c4b50f25bd7b597c549f318ce50c14b98b01701607e0350c102065b08c8bed1fb68a48c6e7e4ca10191d1a24eb

Download Submit
C:\Program Files\Uninstall Information\56085415360792

Filesize
743B

MD5
da5a1ae814c78e02d73588d30458b027

SHA1
63635e16f97d46246390430655e2c466ab70999c

SHA256
0836741950693b4f5eb025a80a11f3b0b9d1ccbb7ced4455bcf4b9436bf8df08

SHA512
7d27a92b47d27498d67950e5abf3973561b4f080d55c08ca262d42f24ae23c101da687c377ab0e1add374a90142298deeaa38a785ebe93042906bba99dd5697c

Download Submit
C:\Recovery\WindowsRE\e6c9b481da804f

Filesize
741B

MD5
62a24540f3657f59c53eb1eec21b7a13

SHA1
c9cde570aaa13e64f9b431eae37115b17088caf3

SHA256
a0bf20364ee60d71f3a507904eab300f8e4b633bcf7a293a4edf176bd836f0c0

SHA512
4631d685c929d34d9337c6d164118c00d909bc905aa0543e5a12c28722d253b7d6734b107d36b9a2d5aa41f4ad8b3c0b66cfb4c42306ba7eba3e077a63dbe596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ComfontHost.exe.log

Filesize
1KB

MD5
400b532c938aca538f01c5616cf318cd

SHA1
598a59a9434e51a6416f91a4c83bd02505ecb846

SHA256
28e57db6d7535775b5e65c90ab208c7fe392e373056db5d35e76854270ecd05d

SHA512
b15583323c457d389b873eb31b8e59fef450c0c0e684b0f797231e8d0abace9227b15d4e45b45f4c79ad044a28cc3d79f9f7c2a81bd38e43b0c09f07aaa95b73

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
069c37bf9e39b121efb7a28ece933aee

SHA1
eaef2e55b66e543a14a6780c23bb83fe60f2f04d

SHA256
485db8db6b497d31d428aceea416da20d88f7bde88dbfd6d59e3e7eee0a75ae8

SHA512
f4562071143c2ebc259a20cbb45b133c863f127a5750672b7a2af47783c7cdc56dcf1064ae83f54e5fc0bb4e93826bf2ab4ef6e604f955bf594f2cbd641db796

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat

Filesize
289B

MD5
ac37ae8d2d9b21669c4a8f797c032a05

SHA1
e88856919094c4a08bef0476d94f2fdbdc3ee1b9

SHA256
4e06dbe7994c6ceb5b04309a0f0e312165c4acec0bc5de99abf6b7a2afe28ebd

SHA512
b77e08bb677bc22b79809f8cbf8105436c3509f3d3e296fd4c1159460ec519739ba0ba381c9bcb95c2b0aa85a8ab6795cb2ef476b2407204bc89e7b8b4f62254

Download Submit
C:\Windows\Logs\NetSetup\e1ef82546f0b02

Filesize
735B

MD5
5d89db2af99d708c170948f32d704559

SHA1
98463c883b773c8a3dc6fa657af67e6402f833c1

SHA256
3f3f478be80a6648a9556ba0f8440407e76533ef60d7bcf493ff6145df4cbfbb

SHA512
24a729204851006f62a9e89039c641362e98b7add9f8f6ad9541fdc4466b6b56a6458591c2f0ddcb96c75eec8e4aa48912ba02483a803abc5fee7bc960c7b837

Download Submit
memory/1528-20-0x0000000003040000-0x000000000304C000-memory.dmp

Filesize
48KB

Download
memory/1528-18-0x0000000000CC0000-0x0000000000DAC000-memory.dmp

Filesize
944KB

Download
memory/1528-19-0x0000000002E90000-0x0000000002E9A000-memory.dmp

Filesize
40KB

Download
memory/4144-54-0x000000001BDE0000-0x000000001BDEB000-memory.dmp

Filesize
44KB

Download
memory/4144-51-0x000000001BC80000-0x000000001BC89000-memory.dmp

Filesize
36KB

Download
memory/4144-53-0x000000001BDC0000-0x000000001BDDE000-memory.dmp

Filesize
120KB

Download
memory/4144-50-0x000000001BC00000-0x000000001BC46000-memory.dmp

Filesize
280KB

Download
memory/4144-52-0x000000001BDB0000-0x000000001BDBD000-memory.dmp

Filesize
52KB

Download
memory/4144-131-0x000000001BC00000-0x000000001BC46000-memory.dmp

Filesize
280KB

Download
memory/4144-135-0x000000001BDE0000-0x000000001BDEB000-memory.dmp

Filesize
44KB

Download
memory/4144-134-0x000000001BDC0000-0x000000001BDDE000-memory.dmp

Filesize
120KB

Download
memory/4144-133-0x000000001BDB0000-0x000000001BDBD000-memory.dmp

Filesize
52KB

Download
memory/4144-132-0x000000001BC80000-0x000000001BC89000-memory.dmp

Filesize
36KB

Download