Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
17-09-2024 22:12
General
-
Target
6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
-
Size
4.9MB
-
MD5
58bf250686082cc8e02eea346661ea7f
-
SHA1
a465d280d33acc4ad04dc92ec4994703d8868ade
-
SHA256
6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6
-
SHA512
881421c58bcc9570c5f4889a1bd79fad81fb2863c46369a84fd8a2506167fd749e72f4f75b8b2ededb79d7694baf54193057887d7f50dd7b786e67e09a1c392b
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 30 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 9 IoCs
-
Checks whether UAC is enabled 1 TTPs 20 IoCs
-
Drops file in Program Files directory 24 IoCs
-
Drops file in Windows directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe"C:\Users\Admin\AppData\Local\Temp\6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiyNQFHINv.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c61d14-ccf5-4da0-b0a4-f708531bfbb8.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eee55304-e4d8-44aa-be74-168d654ef574.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6cb3dee-2eda-4aa8-a0e8-5fc21f27a8e8.vbs"8⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20bfd06b-2f44-4a0d-8bfa-273e6de71e15.vbs"10⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7238364e-730f-4248-9632-2cea205953b0.vbs"12⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\034ba1b6-77ba-4d33-ab1b-22d98d2505ae.vbs"14⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29ee1dc1-444f-4ec7-942e-4e9d8a6cffbb.vbs"16⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\454983fa-01c0-4fe5-a1e1-e44aed01a0cb.vbs"18⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26185d7b-bc9b-43f3-a30a-4490d467b64f.vbs"20⤵
-
C:\MSOCache\All Users\taskhost.exe"C:\MSOCache\All Users\taskhost.exe"21⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68d86a6f-bbc0-40a0-bad0-d9da1a22f210.vbs"20⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c55b5e11-4af9-49eb-8650-0fdeaba0847f.vbs"18⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2a2ba86-c19f-4d5a-9373-a9c0a2fe0746.vbs"16⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea46c478-f9a6-48dd-9b16-19b04c5086a5.vbs"14⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5e1c9bc-fff4-4b90-8586-36d9e8a7b8df.vbs"12⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cb94d52-6cab-46c3-bdac-49d2a46d5ae0.vbs"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\379d5f15-7db2-4df7-8a67-fed6762fe017.vbs"8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d0f0720-5c1b-4863-b771-ea497df292c2.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f08ba8dc-3ec9-4357-a644-76973ba58e8d.vbs"4⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\UGTHRSVC\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\inf\UGTHRSVC\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\UGTHRSVC\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e66" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e66" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\taskhost.exeFilesize
4.9MB
MD5607fc21493b0bfe19df65ec8c86ee13c
SHA1143fe9b9d66305f72f825a548ab381dec4a22288
SHA25699e3f7b5ce46d3d8aa3c191fe3ef374b416a70189a57fd8686695726c644dc28
SHA51235dd487514ca4477fdc4ce7ab2342e861b235b2db361a47515c87993786d85275d075599ff5b72e52ce7d37721ceb1912b084a12e8103e120f7502a6b79a44d0
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exeFilesize
4.9MB
MD558bf250686082cc8e02eea346661ea7f
SHA1a465d280d33acc4ad04dc92ec4994703d8868ade
SHA2566f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6
SHA512881421c58bcc9570c5f4889a1bd79fad81fb2863c46369a84fd8a2506167fd749e72f4f75b8b2ededb79d7694baf54193057887d7f50dd7b786e67e09a1c392b
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RCXE7A2.tmpFilesize
4.9MB
MD56f93fb4cc3b2fb23f2979df2481ca4eb
SHA1f5899c32d698bbe1f7196e3e332ed9f74fbac018
SHA256725d184e4980e12a14ad61143a5d52a943411ce6e4eb44f5f07036e1c3a3f348
SHA5129bb0d7ff611f7b5fba3cbd3353f8483705d97c673ac60ce96d5322efcd4b16c84cd6afdca26c2d54ddd609c0ed4df6ca7a0ea013be04b004cfbfd11ca34ed5be
-
C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\RCXE57F.tmpFilesize
4.9MB
MD5ca507bbf8a9cc5879d9eddb4d0e06fbe
SHA10a20459d876b3e7953c5ee45d77140aeb909e763
SHA2562cdd4a71190e7731100db8edcf65cf0aa96817cf2d3da54866a1227e5d3539d1
SHA51279859a4ee9dcf628f359aba8cddef0f62588859f9d1c08dd6b1bfad087ecc0aa3decc2ee52c7150e1c7a7116fe32d82d274622942b40371295071f13dd3da9d2
-
C:\Users\Admin\AppData\Local\Temp\034ba1b6-77ba-4d33-ab1b-22d98d2505ae.vbsFilesize
709B
MD50da710ab447efaa92a905a261f037da2
SHA1061d17c378d2600333159559e506d691dde2fb6c
SHA25669b58bf32b40a76938e3c3b511fe74ed59eb87ba1d6534ced65b79267b13df9a
SHA5124e5b1efb1e9c260ee3c42f3de7e2d33b618232d30f3d81238e151b3b58864a397854a3987da151614cdf7f5ee32a29f318c052b7dea902c3ac82958ed2f62e90
-
C:\Users\Admin\AppData\Local\Temp\20bfd06b-2f44-4a0d-8bfa-273e6de71e15.vbsFilesize
710B
MD56bfabb0b994707a2c7a93d00adb043a7
SHA12c18b8527a6db1d5f76eb8755638a1fe1ceac48b
SHA2565572dd6151a46a1ad28bcb79ce02016494031c3411e00f96ca99afd3d2c42fb8
SHA512a5856793eb08df3ea01fc125607575a3d2697d6b29c92438c105b63b51d187a68000cadcb5399fc4bf339ef7bf56ab55bbc2c91184154246874a3e72048ba755
-
C:\Users\Admin\AppData\Local\Temp\26185d7b-bc9b-43f3-a30a-4490d467b64f.vbsFilesize
710B
MD5ae49bf7cf74186f8796f68bd88e94722
SHA11dfe1797b61976647c21366727fc2571dc3f0ee9
SHA256c25f9b755bfa6defb2c197a3ee6f74cd32a6699f12ff9d590b0593dde8148013
SHA51206498aa927ed0733bcb564ef08f77a147341e63567da82d0e1e54ca94e918957d01f06687ff1ffeed58a49bb9efb5c249a1e82b9164a63727e0a6f88ea75295f
-
C:\Users\Admin\AppData\Local\Temp\29ee1dc1-444f-4ec7-942e-4e9d8a6cffbb.vbsFilesize
710B
MD5d7a8fdea0c2dee112d0321ccc5386e2e
SHA1adcf0d541caec8124cec6ff32ef6496e34aaa98f
SHA25642aa8b155b148423a29000a04da82902f4d9e3036ff6139ab582e9954ad124ec
SHA512a6d359c788862770fe4642adee09bd0c7238da032e708a124536a678feabdce38b3ffce5818de6d04642ce1c91d25fd0470fb550d16909ac7dc6747a2586f8f4
-
C:\Users\Admin\AppData\Local\Temp\454983fa-01c0-4fe5-a1e1-e44aed01a0cb.vbsFilesize
710B
MD51b85e1fdfa1b1e90b767fb8a82df5562
SHA1bf25d27d116249fd6b62952f06fd1ce54a56d95f
SHA256422c23034710a4c919a9e41932c2f6d2e4d74d7d416d7f626e1ad23bdc35a838
SHA512d69cef724a770f4be999de254115d29c0e2e528337084c90f8f587f83a95809d3d67e1222cdb3eb6d7e5e903577662f4e23f1d8a95b0abb7a5162ffea7e856c4
-
C:\Users\Admin\AppData\Local\Temp\49c61d14-ccf5-4da0-b0a4-f708531bfbb8.vbsFilesize
710B
MD5aa9c8b48cccc114a0fc5bf934ff25b4b
SHA163478eead11904484f7d80dfe22602cc06a801f7
SHA2560d84036b07c21fd5c9a7902f95257d89ba18dfd9d3db0d51c5843dfabc43db99
SHA512fa1b9d3dd623bfe96ef1198ce4449044be50401cd6bc252a2636fc714ed5ab925d26add9037f0b0e79280dfecd186de386009c792038f1bde2a00443833e21ca
-
C:\Users\Admin\AppData\Local\Temp\7238364e-730f-4248-9632-2cea205953b0.vbsFilesize
710B
MD5af650467a7814bff600bc791591cc3bb
SHA10744d99f1fc5a021a23ba818869513ec95ae3576
SHA25692929167e589ccc9699c7c1aa6c5821ec707b325c847ac5534d3c4dff4c85bed
SHA512e06c07ad1e649c3d1f0a2ca119fd78f310d4f23dfe7c7ab0e373c732751f90c439a7b15126a2d4795d2cd44bd687662a57171d757ac0a7bee12f44f26756ddec
-
C:\Users\Admin\AppData\Local\Temp\TiyNQFHINv.batFilesize
199B
MD5b19a26104aea041e110fb245e335b263
SHA1c478dc8e12c3fb9871036d668d2a55ac3f57693b
SHA256b21a2b6a54e7e88da5fff8eb4551f6588f9a7979130bece59e3b93bd88d03977
SHA512d6c44f83fe3aa04bbdd28a2060576efa84a7ad5abdff23a678d85862855f196552426714e4dd388d6fa70b215a74e349b93aa88aab1707ea7337c819c9807588
-
C:\Users\Admin\AppData\Local\Temp\d6cb3dee-2eda-4aa8-a0e8-5fc21f27a8e8.vbsFilesize
710B
MD5d3fdb1377eb6b7bd3d29030ef9756f8d
SHA19911fb8c4a1848dc8b372413952f1b9efac00e5b
SHA2567522db82d56f532a2a0d8f86d70230f8e630c88387219de6a44c24ab3493ddab
SHA51220b13ecfc26ed41f996ab5678ac1410f33f3fef584d2d454f0aa196e19a5cb267cd950c0b91c5e2268d97578ec9ab6b619875a1d8336c2d2aef9728f074ab268
-
C:\Users\Admin\AppData\Local\Temp\eee55304-e4d8-44aa-be74-168d654ef574.vbsFilesize
710B
MD5418c2166abfce51f46e0d20b65bf86b4
SHA14929ba4e21c242baaacdb6234f3140d4770e8e34
SHA25649a6a06d9230b83ecfe42b0a2d4530e3fd186ec42c222fa603e8799e02a18978
SHA512ed42ff886c2af1a55bfbcfd5dc495b82939124dd10bda54bafaa2f535f04cb78f4e2563f924c518048a64cfcfaa2f638071d05c466fd1a1383504b5e41b329a3
-
C:\Users\Admin\AppData\Local\Temp\f08ba8dc-3ec9-4357-a644-76973ba58e8d.vbsFilesize
486B
MD5a4e97d7d8bddd6b55054f08ec11719f8
SHA161705646aa369be41c54dfc080b641fe5289b456
SHA2566a2b38b501ce7a84071da05b85613bfa6ae72ca6163b580ca0878a94f604f32f
SHA512d1b1125764b83d0ca9781d3fc4d69ad288e1b78d35795e44a6061787f6332fc696486b1aa6dda2f9ad8084fe030c195416113cd29d4cfb452e509d5881061468
-
C:\Users\Admin\AppData\Local\Temp\tmp1C57.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD59c46039068823c35d62d8cee22e47526
SHA1fdcdfde0e35fdcf28357fa9ac86bf0372bf1701b
SHA25696945171a526a2bdbb5c6cfd24eb72e18bfe30bdb50f1e47c35fa76206a20a7b
SHA512936973d63dd2fd67f70db2306b97d8a763c8aa98eaa6d9da184a7f04f0b124d7818d013778f75a6b2194f1ed94c1a27b80c00e467c5fbfaf15678a07c5d78cc7
-
memory/1388-179-0x0000000002590000-0x0000000002598000-memory.dmpFilesize
32KB
-
memory/1388-178-0x000000001B0E0000-0x000000001B3C2000-memory.dmpFilesize
2.9MB
-
memory/1736-362-0x0000000000B90000-0x0000000001084000-memory.dmpFilesize
5.0MB
-
memory/2436-11-0x0000000000A10000-0x0000000000A1A000-memory.dmpFilesize
40KB
-
memory/2436-4-0x0000000000310000-0x000000000032C000-memory.dmpFilesize
112KB
-
memory/2436-93-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmpFilesize
4KB
-
memory/2436-16-0x000000001AA90000-0x000000001AA9C000-memory.dmpFilesize
48KB
-
memory/2436-186-0x000007FEF5E60000-0x000007FEF684C000-memory.dmpFilesize
9.9MB
-
memory/2436-15-0x000000001AA80000-0x000000001AA88000-memory.dmpFilesize
32KB
-
memory/2436-14-0x000000001AA70000-0x000000001AA78000-memory.dmpFilesize
32KB
-
memory/2436-13-0x0000000000BB0000-0x0000000000BBE000-memory.dmpFilesize
56KB
-
memory/2436-1-0x0000000000330000-0x0000000000824000-memory.dmpFilesize
5.0MB
-
memory/2436-12-0x0000000000BA0000-0x0000000000BAE000-memory.dmpFilesize
56KB
-
memory/2436-0-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmpFilesize
4KB
-
memory/2436-10-0x0000000000A00000-0x0000000000A12000-memory.dmpFilesize
72KB
-
memory/2436-9-0x00000000009F0000-0x00000000009FA000-memory.dmpFilesize
40KB
-
memory/2436-2-0x000000001B4E0000-0x000000001B60E000-memory.dmpFilesize
1.2MB
-
memory/2436-8-0x0000000000960000-0x0000000000970000-memory.dmpFilesize
64KB
-
memory/2436-3-0x000007FEF5E60000-0x000007FEF684C000-memory.dmpFilesize
9.9MB
-
memory/2436-7-0x0000000000940000-0x0000000000956000-memory.dmpFilesize
88KB
-
memory/2436-6-0x0000000000930000-0x0000000000940000-memory.dmpFilesize
64KB
-
memory/2436-5-0x0000000000200000-0x0000000000208000-memory.dmpFilesize
32KB
-
memory/2436-108-0x000007FEF5E60000-0x000007FEF684C000-memory.dmpFilesize
9.9MB
-
memory/2648-346-0x0000000000350000-0x0000000000844000-memory.dmpFilesize
5.0MB
-
memory/2648-347-0x0000000000970000-0x0000000000982000-memory.dmpFilesize
72KB
-
memory/2860-232-0x0000000000A70000-0x0000000000F64000-memory.dmpFilesize
5.0MB
-
memory/2916-260-0x0000000000FE0000-0x00000000014D4000-memory.dmpFilesize
5.0MB
-
memory/2964-275-0x0000000001320000-0x0000000001814000-memory.dmpFilesize
5.0MB