dcrat | dfe9f39426e9f5c49dfd52ec6dcf91a679af24d2e5a6119a139b9bdf1525655d

Analysis

max time kernel
126s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/01/2025, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

taskhostw.exe
Size

1.2MB
MD5

ac904ffc13b5f221270f475065687b59
SHA1

ed6b4383582eae7b72064a10e33cebc6fd3690e5
SHA256

963a316c03e4f88df946a43d537f6ed2d2001eaafcde40bdb52cd15104112606
SHA512

9626483209d8546c835c94cfffd89e1cf6ae813730d04dfdb9b4b4019e12ee0c9166fa76fb47426251f6e669d6c63037718ffb8c8366766cadca1a9f78c91559
SSDEEP

12288:URZ+IoG/n9IQxW3OBseUUT+tcYbqTHSOOJVu1SNEC8m+P1BAyrQ/ta3iruJtDwbD:u2G/nvxW3WieC2nOJVrj8m+aSDwbA9Nq

Score

10^/10

dcrat credential_access defense_evasion discovery infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2932	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2932	schtasks.exe	35

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cab-11.dat	dcrat
behavioral1/memory/2756-13-0x00000000013C0000-0x00000000014AC000-memory.dmp	dcrat
behavioral1/memory/2620-55-0x0000000000B80000-0x0000000000C6C000-memory.dmp	dcrat

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
2620	OSPPSVC.exe

Executes dropped EXE 2 IoCs

pid	Process
2756	ComfontHost.exe
2620	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2440	cmd.exe
2440	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComfontHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	OSPPSVC.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	OSPPSVC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png	OSPPSVC.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui	OSPPSVC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png	OSPPSVC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png	OSPPSVC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\WMPDMC.exe.mui	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll	OSPPSVC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\micaut.dll.mui	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	OSPPSVC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\WordpadFilter.dll	OSPPSVC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Selectors.Resources.dll	OSPPSVC.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Printing.resources.dll	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcor.dll.mui	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\clock.html	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\RSSFeeds.js	OSPPSVC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\navBack.png	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\ReachFramework.resources.dll	OSPPSVC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui	OSPPSVC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	OSPPSVC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Printing.resources.dll	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html	OSPPSVC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt	OSPPSVC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif	OSPPSVC.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll	OSPPSVC.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui	OSPPSVC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png	OSPPSVC.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png	OSPPSVC.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png	OSPPSVC.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Help\mui\0C0A\snmp.CHM	OSPPSVC.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\mail.h1s	OSPPSVC.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\video.H1S	OSPPSVC.exe
File opened for modification	C:\Windows\ehome\es-ES\ehSidebarRes.dll.mui	OSPPSVC.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-ParentalControls-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	OSPPSVC.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\RacWmiProv.adml	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\es\Microsoft.Transactions.Bridge.Dtc.Resources.dll	OSPPSVC.exe
File opened for modification	C:\Windows\diagnostics\system\Power\fr-FR\RS_ResetIdleSleepsetting.psd1	OSPPSVC.exe
File opened for modification	C:\Windows\ehome\segmcr.ttf	OSPPSVC.exe
File opened for modification	C:\Windows\ehome\ehprivjob.exe	OSPPSVC.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp3.jpg	OSPPSVC.exe
File opened for modification	C:\Windows\Cursors\size1_im.cur	OSPPSVC.exe
File opened for modification	C:\Windows\Help\Windows\en-US\network.h1s	OSPPSVC.exe
File opened for modification	C:\Windows\L2Schemas\OneX_v1.xsd	OSPPSVC.exe
File opened for modification	C:\Windows\Fonts\cvgafix.fon	OSPPSVC.exe
File opened for modification	C:\Windows\Cursors\busy_r.cur	OSPPSVC.exe
File opened for modification	C:\Windows\Cursors\up_r.cur	OSPPSVC.exe
File opened for modification	C:\Windows\PLA\Rules\it-IT\Rules.System.Wired.xml	OSPPSVC.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\buttons.h1s	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll	OSPPSVC.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\FramePanes.adml	OSPPSVC.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\fr-FR\CL_LocalizationData.psd1	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\System.Runtime.Remoting.Resources.dll	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\prc.nlp	OSPPSVC.exe
File opened for modification	C:\Windows\diagnostics\system\Performance\TS_MultipleAntivirusProducts.ps1	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Transactions.resources.dll	OSPPSVC.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\games.h1s	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Web.tlb	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\es\System.EnterpriseServices.Resources.dll	OSPPSVC.exe
File opened for modification	C:\Windows\Help\Windows\en-US\wasw.h1s	OSPPSVC.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\license.h1s	OSPPSVC.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\mail.h1s	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\Microsoft.JScript.Resources.dll	OSPPSVC.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-MediaPlayback-OC-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	OSPPSVC.exe
File opened for modification	C:\Windows\Help\Windows\en-US\sync.h1s	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.EnterpriseServices.Resources.dll	OSPPSVC.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.mum	OSPPSVC.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~nb-NO~7.1.7601.16492.cat	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\ShFusRes.dll	OSPPSVC.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\Desktop.adml	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\aspnet_rc.dll	OSPPSVC.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\1041\Vsavb7rtUI.dll	OSPPSVC.exe
File opened for modification	C:\Windows\diagnostics\scheduled\Maintenance\RS_AdminDiagnosticHistory.ps1	OSPPSVC.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	OSPPSVC.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	OSPPSVC.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-OfflineFiles-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.mum	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe	OSPPSVC.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\winmeetb.h1s	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\shfusion.dll	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\es\Microsoft.VisualBasic.resources.dll	OSPPSVC.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\PreviousVersions.adml	OSPPSVC.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RemoteAssistance-Package-Client~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum	OSPPSVC.exe
File opened for modification	C:\Windows\Media\Quirky\Windows Feed Discovered.wav	OSPPSVC.exe
File opened for modification	C:\Windows\Help\mui\040C\diskmgt.CHM	OSPPSVC.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\perf.h1s	OSPPSVC.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86	OSPPSVC.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Navigation Start.wav	OSPPSVC.exe
File opened for modification	C:\Windows\PLA\Rules\fr-FR\Rules.System.Configuration.xml	OSPPSVC.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\EventViewer.adml	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\fr\Microsoft.Transactions.Bridge.Dtc.Resources.dll	OSPPSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\System.Data.Resources.dll	OSPPSVC.exe
File opened for modification	C:\Windows\Cursors\aero_nwse_l.cur	OSPPSVC.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2040	schtasks.exe
896	schtasks.exe
820	schtasks.exe
1496	schtasks.exe
1164	schtasks.exe
2184	schtasks.exe
1340	schtasks.exe
1528	schtasks.exe
2328	schtasks.exe
2944	schtasks.exe
2724	schtasks.exe
1648	schtasks.exe
3028	schtasks.exe
960	schtasks.exe
648	schtasks.exe
1144	schtasks.exe
1620	schtasks.exe
1944	schtasks.exe
1688	schtasks.exe
2240	schtasks.exe
2276	schtasks.exe
1852	schtasks.exe
2692	schtasks.exe
2684	schtasks.exe
2992	schtasks.exe
1008	schtasks.exe
1264	schtasks.exe
2712	schtasks.exe
1300	schtasks.exe
2652	schtasks.exe
1804	schtasks.exe
1984	schtasks.exe
932	schtasks.exe
1784	schtasks.exe
2848	schtasks.exe
3044	schtasks.exe
2384	schtasks.exe
2576	schtasks.exe
2740	schtasks.exe
1152	schtasks.exe
2956	schtasks.exe
2516	schtasks.exe
2432	schtasks.exe
916	schtasks.exe
2640	schtasks.exe
1736	schtasks.exe
1732	schtasks.exe
1660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2756	ComfontHost.exe
2756	ComfontHost.exe
2756	ComfontHost.exe
2756	ComfontHost.exe
2756	ComfontHost.exe
2756	ComfontHost.exe
2756	ComfontHost.exe
2620	OSPPSVC.exe
2620	OSPPSVC.exe
2620	OSPPSVC.exe
2620	OSPPSVC.exe
2620	OSPPSVC.exe
2620	OSPPSVC.exe
2620	OSPPSVC.exe
2620	OSPPSVC.exe
2620	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	ComfontHost.exe
Token: SeDebugPrivilege	2620	OSPPSVC.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2352	2368	taskhostw.exe	30
PID 2368 wrote to memory of 2352	2368	taskhostw.exe	30
PID 2368 wrote to memory of 2352	2368	taskhostw.exe	30
PID 2368 wrote to memory of 2352	2368	taskhostw.exe	30
PID 2352 wrote to memory of 2440	2352	WScript.exe	32
PID 2352 wrote to memory of 2440	2352	WScript.exe	32
PID 2352 wrote to memory of 2440	2352	WScript.exe	32
PID 2352 wrote to memory of 2440	2352	WScript.exe	32
PID 2440 wrote to memory of 2756	2440	cmd.exe	34
PID 2440 wrote to memory of 2756	2440	cmd.exe	34
PID 2440 wrote to memory of 2756	2440	cmd.exe	34
PID 2440 wrote to memory of 2756	2440	cmd.exe	34
PID 2756 wrote to memory of 2044	2756	ComfontHost.exe	84
PID 2756 wrote to memory of 2044	2756	ComfontHost.exe	84
PID 2756 wrote to memory of 2044	2756	ComfontHost.exe	84
PID 2044 wrote to memory of 2448	2044	cmd.exe	86
PID 2044 wrote to memory of 2448	2044	cmd.exe	86
PID 2044 wrote to memory of 2448	2044	cmd.exe	86
PID 2044 wrote to memory of 2620	2044	cmd.exe	87
PID 2044 wrote to memory of 2620	2044	cmd.exe	87
PID 2044 wrote to memory of 2620	2044	cmd.exe	87

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComfontHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\taskhostw.exe
"C:\Users\Admin\AppData\Local\Temp\taskhostw.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BlockBrowserWeb\73WPTP5CgKBkfusL13FoS1EalfC.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BlockBrowserWeb\JLBdH8Facv2OZKr8pY7k2gD8clI.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\BlockBrowserWeb\ComfontHost.exe
      "C:\BlockBrowserWeb\ComfontHost.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2756
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3BHrr2hGfN.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2448
      - C:\MSOCache\All Users\OSPPSVC.exe
        
        "C:\MSOCache\All Users\OSPPSVC.exe"
        6⤵
        UAC bypass
        Deletes itself
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops desktop.ini file(s)
        Drops autorun.inf file
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockBrowserWeb\73WPTP5CgKBkfusL13FoS1EalfC.vbe

Filesize
230B

MD5
fdf72c94be3290267c930fab28fbd800

SHA1
a0e186ec44952baf296acd483f25327b0c6f33dd

SHA256
4eead935013d583296ca49f8fc8b70d38b7c32e1189204629f33cead574e2dd1

SHA512
a59b3fe649739e5d61d116149011f8d0f19ed8b217134aabb3f2c698dd52a5ccc4b67414209772be48fe4477158ffa7ebb2097280dccf1607955f1a95d264634

Download Submit
C:\BlockBrowserWeb\JLBdH8Facv2OZKr8pY7k2gD8clI.bat

Filesize
47B

MD5
68411cfd82c251c57e0fd3e2b6e7af03

SHA1
26b09d13a90b0e662d57c59dc903db51dd11a177

SHA256
0f31379f24cbc2ab580f9b2f77e4fa36123a732377be53d88c28546228e106d7

SHA512
78ba2559d614ed0dbcc2e32a5f6b9ef3d3585df4cc515728ff4cccdefbd00b50f3e34774af016a5fc9f8320ff48e963bc76f9c7b04e80ad69a43eef9c18f2f2a

Download Submit
C:\MSOCache\All Users\1610b97d3ab4a7

Filesize
415B

MD5
e49a64f9b00e0b5d60b04511fc1bace9

SHA1
6332b925278b152d86b362c70d574ff1506c8a33

SHA256
d918a6fff531edfcaa8032a0cdab55d3cd2606ed65eef9bd7c18f415e3fe365c

SHA512
b4b3de290382bf0f2b5fdbff061fc99fa27eb322492aae7738bc0694a8f0ab70cb99ec64f69e54ecaa980c89d95a13107352176ceba362970dab2d4df890d3e1

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\69ddcba757bf72

Filesize
516B

MD5
1218baca91064feca9c0673f9a2393df

SHA1
b655bf7b4af6a6e16d3686a365d29afd01dfcd18

SHA256
acadfe2f1b4f6115bbc66ceb0cf18b5d68db2faca5685f4ffd3658d782ee2114

SHA512
53a2d6ce72f9697ad2e8ce57eedd4ab9e0a4da1b443857fcd6bee80b76e4c80c35ba8285e0df5e752da7ece5975dff55ba5051c70173d5dc2725756842205772

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991

Filesize
806B

MD5
a9ae60dae93d61a5cbce55a2a525a165

SHA1
fa6154db4655ac197a67d2e878344d7319076649

SHA256
dc1d7a6afd02b5e82d5537d5259233c46f330748407814791584f6b89618b252

SHA512
d604288536905089cb7020de5091e5a21c55f11b4eb983dfd99f22f6d2e4c46aed77936d98cff1846821fd39feb132ee3df544af1e4057d450cbfdd0e1799f8c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f

Filesize
903B

MD5
16fa97534cbdeda9913db6c5c3993766

SHA1
6423d1f499a697ea65d92be1934f49b88a9a4c0b

SHA256
299abe590f020a253f8d4a40ac2b153a13e27ab9597e377fc664edc840070f22

SHA512
c15627b95f98e70441fbeef745a121707f582afbca2f81558f072f0b3b44fd7c3ca9ba73cb9b4778acfb64de0ed60a810e2c8021f088809623c4a524a3bbf418

Download Submit
C:\Program Files (x86)\Windows Defender\de-DE\75a57c1bdf437c

Filesize
95B

MD5
77ca72d3e4d03b256e734a1adeaa983d

SHA1
8bddb5c7dceec799c860dde38ddf71781e7a6f53

SHA256
3e789c6e24f17222a373be0e2ec95ae51e24f4dbfb614a124e9ca3fd723aed61

SHA512
dde15cef706488ee7ae2ffc99689520df19738d53da9b27848ccf6520766e7e31c7422d2a32bb1e08d00b10e9d9832b767b382f936d8bca2688b313f9591ad06

Download Submit
C:\Program Files (x86)\Windows Mail\fr-FR\cc11b995f2a76d

Filesize
298B

MD5
a43a248526bce40a9d1103514ad7c946

SHA1
295fbfbc6d8fd1396515d8b94d5ec8c68a25e948

SHA256
bfe8bbb26f372eb2f81e9bd57335b9da7f900a8de5563b506b88dbb4b9cf53db

SHA512
349dab314c3c14a1ab4869c5e6eb98e5963777833ef4a8e324c750c3c0a220f200deffa774e51d8a5c865d2fec4e779fc6d228ca4e4ff12c61f96a9e84333108

Download Submit
C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\ebf1f9fa8afd6d

Filesize
587B

MD5
d2159c43cb6676961f6a014e1a752f13

SHA1
a1e6bca12e9fdd0d8cbb593526a4e64c2e0905c6

SHA256
be939810c8d195f82fe4f4811a65ed62526fb46351c2e967e18b9ac444937909

SHA512
2cec82670ec44bb1f64e049d9eedda223cfd2e2e26fa917a3f0da26511c686a84f1c25bf12754874f47d46df942ff728eeed04ebae7ae5e3052348a06f9e9600

Download Submit
C:\Program Files\Windows Photo Viewer\en-US\b75386f1303e64

Filesize
561B

MD5
3ce855663f34e701ef39d0c6a99fffca

SHA1
2dd137f5a85d55d266f67bd67fb0326191e0c450

SHA256
215023bad2207f46eb5091a4cfad411653c5748cbc3f5dab136cadfa771ecab4

SHA512
51e680dd8785e2e0cc9ef141a4a849bc85c3244dae65a2f4fde0b327cc3f7d202bd08f055647ab358c07e0e2036d4a746cda85ee481b3287139c71046309a7c7

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\24dbde2999530e

Filesize
273B

MD5
89586c7843e5341544ab540f2f0124c7

SHA1
50a5d12978e4e1452b033f60cc1e241550fc9805

SHA256
c635bf8f8e72cf49b85a8247a79c39098bd92ef56829f8148dc578a0f03ab06a

SHA512
bb03abc83ca68acafc3f5b6fc89a5704ef9ae0a6ae43951b9b045813c4849f93ce8bde7d6429ba592dca418b8145188e9699d193bbe6df36f90d45f790927284

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\24dbde2999530e

Filesize
764B

MD5
fc7aedd75ad542f33370617a2e494fbd

SHA1
5a805f4095609f45dc5d6ef7d00dcbc628b63bec

SHA256
f8a30dd24838486f5ef2fea493a2637109cc727b126cafc218af32445317ab35

SHA512
45cbdc4d529803814e71f3e4351eac84e9ba787d8aff63d98f04bad436ad0e2ba4d48b7452e902fdeb9d7bec2f0ed1cbf60b3f6ff86ac91622870b1a54258266

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\42af1c969fbb7b

Filesize
905B

MD5
8fdde40d4e17135b3b87b92cca15e33c

SHA1
a758038d056835cad6dbfa68e138389a655f629b

SHA256
91fff9e548693ed33af6da617ed61275c32488e082f4e14ce397d0a88d76dc3c

SHA512
2c08e4a370a8c2e7192db0c006fc6a3849a5645d12f3eac92df04043e3138f10e487be6248a352c1950202b7f67fa90af150b99b4a1707590015a858a9dce3c8

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\5940a34987c991

Filesize
971B

MD5
34293b48b731cab6a59b1a0d6f8234cf

SHA1
b3c71f311a60aba66b05053228cbe38a827a926f

SHA256
e0b7fd9c393554078ed387204689cf88f0fb4763ea0c8e722505e647be30caa5

SHA512
705b47342a75b9dc4723496ba795c38a86a6db6d5903d53ddb00efcbd5c274c3bf4adde737a4544882365bbc9af801eb2706d72f30ce7a43b201cccf021d5500

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\ebf1f9fa8afd6d

Filesize
904B

MD5
a67a06c480d408babcee6b427b2cf241

SHA1
9aaad62f9d716575d5390f05435690b7f4224f27

SHA256
7029593e714d17aca5cd232b0aea11ab9e957bcbdbf0e67caacb0545a7c2f8fb

SHA512
03ecc80d232fb8090d30ac6cc11485219b24ae4625c98005308b049f53d84c8430bd1b6aa4723d2df93ea4fdec40ab97f297e2b87bf3ce625d08c7863fb7af4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BHrr2hGfN.bat

Filesize
198B

MD5
60bed6e27f01dec842cf5a44d312e1c4

SHA1
73b963ec317b2029824a924da031e03ed16cc524

SHA256
998bfc2ef01edaa89a6a4752cd38805aaa449b2aa3eb681f8539e7ebbbef8e5b

SHA512
2bc7d7a9648d764e7a45aef238bbd1ebbb4c808c9f668e859e783f6b756390530dc1524c802191a730d4bd05316da2ab4401697beb9d8ed6d1e462111e764c30

Download Submit
C:\Users\Default\AppData\Local\27d1bcfc3c54e0

Filesize
875B

MD5
c3930334ec3bca33e2f7d7bef3171366

SHA1
caae2b1f26f8cc881f582a2b074d55d97d713da6

SHA256
f2699d045c9e3b720a23ef35c97d39afb0798eb6cca53e23ad316f81958fc6ff

SHA512
66d2c4c1cab45ca3b607f24f913072f9f710c93ff2d07530e77122b6cd0593a7b48517f5e969b4a799f016148a542ee4afbf1da2454a81141b06aca49477a302

Download Submit
C:\Users\Default\f3b6ecef712a24

Filesize
283B

MD5
39dba2f3ee723989b666d41b39711d7d

SHA1
54643f125b96c1a9b35a9f099b76322e2a22538e

SHA256
9e323e63339bfcbe4827cd41617962b756fb694c98d6a653e764c61b1a909b5e

SHA512
8dd074cf0b81c1eae3946b3fb78c59d79d8e8937bc198012b765b7cefda7536c719ca68efe201ed183219b1c98ef84a2770bc809af0fe1ee44a10afd36e3e936

Download Submit
C:\Windows\Cursors\886983d96e3d3e

Filesize
563B

MD5
b407baf1e525f37bb79d2b3149a0ad2e

SHA1
5e69ca64ffc78b8fe3f7385f2093ff260cd8db21

SHA256
e9bde218c5dedef9465bff4b2e5a586cf73401760cc3c437e63d2bb409215cab

SHA512
1f0dc9fd90e7697b598dd606c71d257fa22f68a8bde74adc75adb01cccb86b69fe26dacc2c857914d4f8e7b16a76f85c5d50fad9d10a68112de59d7214841d7e

Download Submit
\BlockBrowserWeb\ComfontHost.exe

Filesize
911KB

MD5
082141e65f26ececc48552790d6c6da4

SHA1
fba9667158632e2dbfa128d1fa1bd4be282e773a

SHA256
b49adf276a5e055ef1a3685f032701b41be76177f7f9eb85dfac2d33b5fa7c9f

SHA512
cbe0fef685801d436b5637a0e08df052af119284491a382d689686735ee8352d3edaa6857754f16f022a0bb43f95039bc841e4ed1e20614ea0a9976258947946

Download Submit
memory/2620-55-0x0000000000B80000-0x0000000000C6C000-memory.dmp

Filesize
944KB

Download
memory/2756-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2756-14-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/2756-13-0x00000000013C0000-0x00000000014AC000-memory.dmp

Filesize
944KB

Download