dcrat | 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
Size

1.6MB
MD5

844679e76d8254bedd67c98610f7d7ac
SHA1

4222ebbb055830096b829f072783423dbe255932
SHA256

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942
SHA512

fddb80736936d7c0d46ec3958885237681cbbd416455d7a48d075092d38a0c5e435112c25b595b8cc99b0a8ed2143ac2f28e893373a7b6e9772ee722706a3c05
SSDEEP

24576:2ztKoZmCJ4YrujnaOBDEzKt3pJqc7BnA8js2TvgAts0qB0FjbpcKSzQy8v1:O995MUzKNac7BnbbTvgCFTYQy+

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	3496	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	3496	schtasks.exe	87

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

Executes dropped EXE 1 IoCs

Processes:

RuntimeBroker.exe

pid	Process
4944	RuntimeBroker.exe

Drops file in Program Files directory 7 IoCs

Processes:

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
File created	C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\9e8d7a4ca61bd9	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\e1ef82546f0b02	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
File created	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

Drops file in Windows directory 1 IoCs

Processes:

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

description	ioc	Process
File created	C:\Windows\ServiceState\WinHttpAutoProxySvc\Registry.exe	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
4208	schtasks.exe
1768	schtasks.exe
4504	schtasks.exe
4644	schtasks.exe
4872	schtasks.exe
1108	schtasks.exe
3928	schtasks.exe
4252	schtasks.exe
3488	schtasks.exe
2712	schtasks.exe
3988	schtasks.exe
1468	schtasks.exe
2992	schtasks.exe
3360	schtasks.exe
3188	schtasks.exe
1220	schtasks.exe
724	schtasks.exe
1168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exeRuntimeBroker.exe

pid	Process
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4944	RuntimeBroker.exe
4944	RuntimeBroker.exe
4944	RuntimeBroker.exe
4944	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RuntimeBroker.exe

pid	Process
4944	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exeRuntimeBroker.exe

description	pid	Process
Token: SeDebugPrivilege	2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
Token: SeDebugPrivilege	4944	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.execmd.exe

description	pid	Process	procid_target
PID 2980 wrote to memory of 4256	2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe	108
PID 2980 wrote to memory of 4256	2980	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe	108
PID 4256 wrote to memory of 1592	4256	cmd.exe	110
PID 4256 wrote to memory of 1592	4256	cmd.exe	110
PID 4256 wrote to memory of 4332	4256	cmd.exe	111
PID 4256 wrote to memory of 4332	4256	cmd.exe	111
PID 4256 wrote to memory of 4944	4256	cmd.exe	117
PID 4256 wrote to memory of 4944	4256	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
"C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PNkK84xdf9.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1592
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4332
- - C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
    "C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe

Filesize
1.6MB

MD5
844679e76d8254bedd67c98610f7d7ac

SHA1
4222ebbb055830096b829f072783423dbe255932

SHA256
9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942

SHA512
fddb80736936d7c0d46ec3958885237681cbbd416455d7a48d075092d38a0c5e435112c25b595b8cc99b0a8ed2143ac2f28e893373a7b6e9772ee722706a3c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\PNkK84xdf9.bat

Filesize
243B

MD5
e560d37bc071a5949ebf851033b8b3a1

SHA1
833ee1f51f4c4b8afda80b99cd7e75893c1c3c1c

SHA256
0d351c0d57aee2c9fba137e09c78c7dad5bae9f8f7bafd7e3c8f3b48b812c661

SHA512
ced97cc6107985f09ff30084803632fcf4e005922e8ac2167ab692b335ae28081d4211561bd0080ab05a768116894d74e6b1329752b30755571f63b2d5be0334

Download Submit
memory/2980-3-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

Filesize
10.8MB

Download
memory/2980-0-0x00007FFDF7453000-0x00007FFDF7455000-memory.dmp

Filesize
8KB

Download
memory/2980-4-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

Filesize
10.8MB

Download
memory/2980-7-0x00000000030A0000-0x00000000030AE000-memory.dmp

Filesize
56KB

Download
memory/2980-5-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

Filesize
10.8MB

Download
memory/2980-8-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

Filesize
10.8MB

Download
memory/2980-11-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

Filesize
10.8MB

Download
memory/2980-2-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

Filesize
10.8MB

Download
memory/2980-21-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

Filesize
10.8MB

Download
memory/2980-27-0x000000001C9D0000-0x000000001CA1E000-memory.dmp

Filesize
312KB

Download
memory/2980-28-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

Filesize
10.8MB

Download
memory/2980-1-0x0000000000E20000-0x0000000000FC2000-memory.dmp

Filesize
1.6MB

Download
memory/4944-34-0x000000001D0B0000-0x000000001D0FE000-memory.dmp

Filesize
312KB

Download