Overview

overview

10

Static

static

13f0462af3...68.exe

windows7-x64

10

13f0462af3...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    192s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2022 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13f0462af330f984e6bf4f78ca0fd568.exe

  • Size

    4.9MB

  • MD5

    13f0462af330f984e6bf4f78ca0fd568

  • SHA1

    d4cade4a691d79c8edb40a02036dda11190e4795

  • SHA256

    98a6de25f542afaee3621feaf905566e3a5f60c99c5e1c051de2046cd803fb06

  • SHA512

    f04865953da22dd552373cb1a6e027ed2adbe87ad8f3fdbf59145d70fbc6de1310451824f45cc613400b14a4fe333ffe8cb8bdf65407badbcc4a9b76769a8ea8

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1evasioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\13f0462af330f984e6bf4f78ca0fd568.exe
    "C:\Users\Admin\AppData\Local\Temp\13f0462af330f984e6bf4f78ca0fd568.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:456
    • C:\Users\Admin\AppData\Local\Temp\tmp44F8.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp44F8.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Users\Admin\AppData\Local\Temp\tmp44F8.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp44F8.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:4144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2196
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4440
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4208
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1944
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AUfvfl5N9m.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4392
        • C:\Users\Default User\dllhost.exe
          "C:\Users\Default User\dllhost.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks computer location settings
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4856
          • C:\Users\Admin\AppData\Local\Temp\tmp11F.tmp.exe
            "C:\Users\Admin\AppData\Local\Temp\tmp11F.tmp.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1336
            • C:\Users\Admin\AppData\Local\Temp\tmp11F.tmp.exe
              "C:\Users\Admin\AppData\Local\Temp\tmp11F.tmp.exe"
              5⤵
              • Executes dropped EXE
              PID:2540
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a2d9963-52b9-4c96-ad5f-bd52fe969362.vbs"
            4⤵
              PID:1516
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e24447e-975b-428e-8145-27905a5f59e0.vbs"
              4⤵
                PID:2288
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\Settings\Accounts\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1324
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Settings\Accounts\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4648
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\Settings\Accounts\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1744
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1504
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1064
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\odt\SppExtComObj.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1356
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5088
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:208
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Resources\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4184
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4192
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3644
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\fr\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5044
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SysWOW64\fr\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1596
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\fr\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2080
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\odt\SearchApp.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:384
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:820
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Settings\Accounts\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3008
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Settings\Accounts\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4504
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\Settings\Accounts\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4252
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\OfficeClickToRun.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3396
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3608
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2076
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "13f0462af330f984e6bf4f78ca0fd5681" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\it-IT\13f0462af330f984e6bf4f78ca0fd568.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4416
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "13f0462af330f984e6bf4f78ca0fd568" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\13f0462af330f984e6bf4f78ca0fd568.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3572
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "13f0462af330f984e6bf4f78ca0fd5681" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\it-IT\13f0462af330f984e6bf4f78ca0fd568.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1660
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2840
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2304
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1220
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5076
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2432
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1080
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2852
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4540
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4572
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "13f0462af330f984e6bf4f78ca0fd5681" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla\updates\13f0462af330f984e6bf4f78ca0fd568.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:372
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "13f0462af330f984e6bf4f78ca0fd568" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\13f0462af330f984e6bf4f78ca0fd568.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2440
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "13f0462af330f984e6bf4f78ca0fd5681" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla\updates\13f0462af330f984e6bf4f78ca0fd568.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3856

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Bypass User Account Control

        1
        T1088

        Scheduled Task

        1
        T1053

        Defense Evasion

        Bypass User Account Control

        1
        T1088

        Disabling Security Tools

        1
        T1089

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        3
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          cadef9abd087803c630df65264a6c81c

          SHA1

          babbf3636c347c8727c35f3eef2ee643dbcc4bd2

          SHA256

          cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

          SHA512

          7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          ecceac16628651c18879d836acfcb062

          SHA1

          420502b3e5220a01586c59504e94aa1ee11982c9

          SHA256

          58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

          SHA512

          be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          ecceac16628651c18879d836acfcb062

          SHA1

          420502b3e5220a01586c59504e94aa1ee11982c9

          SHA256

          58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

          SHA512

          be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          ecceac16628651c18879d836acfcb062

          SHA1

          420502b3e5220a01586c59504e94aa1ee11982c9

          SHA256

          58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

          SHA512

          be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          cadef9abd087803c630df65264a6c81c

          SHA1

          babbf3636c347c8727c35f3eef2ee643dbcc4bd2

          SHA256

          cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

          SHA512

          7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          cadef9abd087803c630df65264a6c81c

          SHA1

          babbf3636c347c8727c35f3eef2ee643dbcc4bd2

          SHA256

          cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

          SHA512

          7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          cadef9abd087803c630df65264a6c81c

          SHA1

          babbf3636c347c8727c35f3eef2ee643dbcc4bd2

          SHA256

          cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

          SHA512

          7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          ecceac16628651c18879d836acfcb062

          SHA1

          420502b3e5220a01586c59504e94aa1ee11982c9

          SHA256

          58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

          SHA512

          be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          ecceac16628651c18879d836acfcb062

          SHA1

          420502b3e5220a01586c59504e94aa1ee11982c9

          SHA256

          58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

          SHA512

          be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          5f0ddc7f3691c81ee14d17b419ba220d

          SHA1

          f0ef5fde8bab9d17c0b47137e014c91be888ee53

          SHA256

          a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

          SHA512

          2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          bd5940f08d0be56e65e5f2aaf47c538e

          SHA1

          d7e31b87866e5e383ab5499da64aba50f03e8443

          SHA256

          2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

          SHA512

          c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\7a2d9963-52b9-4c96-ad5f-bd52fe969362.vbs
          Filesize

          709B

          MD5

          be45a9745a346af1fde2517add03c5d9

          SHA1

          8c89a427ff82de35a6936ecc65cd2aac54a601cf

          SHA256

          fed5441368c8d37dc17e71394d8b9d3f905886fa597861e01454fb594de1c104

          SHA512

          8607eeba417eb07acc163bc0d446182ec0f074e348f489944ed88980bdc6e16a040c6e98da18c3abde0a5db099a240c03c6cb34b3a711237c2f108e175c64e9b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\9e24447e-975b-428e-8145-27905a5f59e0.vbs
          Filesize

          485B

          MD5

          52a7b23172d9aac417c506fa0797653c

          SHA1

          148bdc44ceb0cde3e527fc16d3fa81116affb452

          SHA256

          c9915dd67ec33b1ee4490c442b5744805771ef2010c3e9c1742dd761ad374dac

          SHA512

          708f969c496556a4d0d6da35c7725f39a6887fd3ad77900b8f122ffffd94b4fa4b753a87226897c039c2f2cc17483ab691c1d522a6284616d5feaa7ef7f3f5b3

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\AUfvfl5N9m.bat
          Filesize

          198B

          MD5

          53b1672207eb426e574b6e56a87b03bc

          SHA1

          3b6c853e63bf564611a7e99ad2de88fb5b11feb5

          SHA256

          5a83debb00380e088bc0e39f020384cfa24b6178556999c311f59262754248e6

          SHA512

          0c335cec4a66fdbe53ca811bbc222a226652551b7bca91fbdc21775ebb85d4537e571340f14b2ca5dc4c654566d9a5aed6fc7a9c8b1aed7b5b2b320a38cbb591

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp11F.tmp.exe
          Filesize

          75KB

          MD5

          e0a68b98992c1699876f818a22b5b907

          SHA1

          d41e8ad8ba51217eb0340f8f69629ccb474484d0

          SHA256

          2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

          SHA512

          856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp11F.tmp.exe
          Filesize

          75KB

          MD5

          e0a68b98992c1699876f818a22b5b907

          SHA1

          d41e8ad8ba51217eb0340f8f69629ccb474484d0

          SHA256

          2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

          SHA512

          856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp11F.tmp.exe
          Filesize

          75KB

          MD5

          e0a68b98992c1699876f818a22b5b907

          SHA1

          d41e8ad8ba51217eb0340f8f69629ccb474484d0

          SHA256

          2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

          SHA512

          856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp44F8.tmp.exe
          Filesize

          75KB

          MD5

          e0a68b98992c1699876f818a22b5b907

          SHA1

          d41e8ad8ba51217eb0340f8f69629ccb474484d0

          SHA256

          2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

          SHA512

          856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp44F8.tmp.exe
          Filesize

          75KB

          MD5

          e0a68b98992c1699876f818a22b5b907

          SHA1

          d41e8ad8ba51217eb0340f8f69629ccb474484d0

          SHA256

          2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

          SHA512

          856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp44F8.tmp.exe
          Filesize

          75KB

          MD5

          e0a68b98992c1699876f818a22b5b907

          SHA1

          d41e8ad8ba51217eb0340f8f69629ccb474484d0

          SHA256

          2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

          SHA512

          856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          Download Submit
        • C:\Users\Default User\dllhost.exe
          Filesize

          4.9MB

          MD5

          651a327c78666e8ae5573c2f94dd9791

          SHA1

          0c351b3cbfd1298a8ea3329722b65c552e90ebba

          SHA256

          67ae6edff3979c1e05ed362c1fd572b8d7021d6e0867e1934ea5e2eea30b3b31

          SHA512

          035f9e7f202af91a3f9b1f36b4629844c39c17a05cf91b1732234d99eafcde9ae7091eb627be3afd56626cfd77d769e0f8f4122618ce87282d0a8fa364fade66

          Download Submit
        • C:\Users\Default\dllhost.exe
          Filesize

          4.9MB

          MD5

          651a327c78666e8ae5573c2f94dd9791

          SHA1

          0c351b3cbfd1298a8ea3329722b65c552e90ebba

          SHA256

          67ae6edff3979c1e05ed362c1fd572b8d7021d6e0867e1934ea5e2eea30b3b31

          SHA512

          035f9e7f202af91a3f9b1f36b4629844c39c17a05cf91b1732234d99eafcde9ae7091eb627be3afd56626cfd77d769e0f8f4122618ce87282d0a8fa364fade66

          Download Submit
        • memory/456-135-0x000000001E030000-0x000000001E558000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/456-161-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/456-132-0x0000000000FF0000-0x00000000014E4000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/456-134-0x000000001C380000-0x000000001C3D0000-memory.dmp
          Filesize

          320KB

          Download
        • memory/456-144-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/456-133-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1288-196-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1288-156-0x0000000000000000-mapping.dmp
          Download
        • memory/1288-174-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1336-205-0x0000000000000000-mapping.dmp
          Download
        • memory/1356-163-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1356-150-0x0000000000000000-mapping.dmp
          Download
        • memory/1356-191-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1516-214-0x0000000000000000-mapping.dmp
          Download
        • memory/1944-173-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1944-179-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1944-157-0x0000000000000000-mapping.dmp
          Download
        • memory/2196-171-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2196-185-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2196-146-0x0000000000000000-mapping.dmp
          Download
        • memory/2288-215-0x0000000000000000-mapping.dmp
          Download
        • memory/2540-213-0x0000000000400000-0x0000000000407000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2540-210-0x0000000000000000-mapping.dmp
          Download
        • memory/2676-175-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2676-160-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2676-147-0x0000000000000000-mapping.dmp
          Download
        • memory/2676-159-0x000002297D1D0000-0x000002297D1F2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/2948-168-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2948-189-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2948-152-0x0000000000000000-mapping.dmp
          Download
        • memory/3876-172-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/3876-193-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/3876-155-0x0000000000000000-mapping.dmp
          Download
        • memory/3984-167-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/3984-194-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/3984-151-0x0000000000000000-mapping.dmp
          Download
        • memory/4144-140-0x0000000000000000-mapping.dmp
          Download
        • memory/4144-141-0x0000000000400000-0x0000000000407000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4144-143-0x0000000000400000-0x0000000000407000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4144-145-0x0000000000400000-0x0000000000407000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4208-154-0x0000000000000000-mapping.dmp
          Download
        • memory/4208-188-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4208-170-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4392-166-0x0000000000000000-mapping.dmp
          Download
        • memory/4440-198-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4440-153-0x0000000000000000-mapping.dmp
          Download
        • memory/4440-169-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4468-148-0x0000000000000000-mapping.dmp
          Download
        • memory/4468-164-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4468-190-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4500-192-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4500-149-0x0000000000000000-mapping.dmp
          Download
        • memory/4500-162-0x00007FFE80D30000-0x00007FFE817F1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4716-158-0x0000000000000000-mapping.dmp
          Download
        • memory/4856-204-0x00007FFE80D60000-0x00007FFE81821000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4856-199-0x0000000000000000-mapping.dmp
          Download
        • memory/4856-203-0x00007FFE80D60000-0x00007FFE81821000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4856-202-0x0000000000350000-0x0000000000844000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/4860-139-0x0000000000F1B000-0x0000000000F21000-memory.dmp
          Filesize

          24KB

          Download
        • memory/4860-136-0x0000000000000000-mapping.dmp
          Download