dcrat | 8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955

Analysis

max time kernel
103s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
Size

1.5MB
MD5

8f7fa3b34b52d77c923711a5b6510df0
SHA1

171914ec44b3bb7062f5b21bf5f628c9c1aa2b48
SHA256

8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955
SHA512

68d82717828e8ed1598e8599c39b0898bd7f4a11fadf232e5cc58ffd21028fa61ac351f0dc9135ecbe7a42758ec301a73ac4c06c3c3678c7ecb0d2837a756d63
SSDEEP

24576:0eaMajUi+6C+mDjn7gbkFaSH7Wu4mIWGE1Sy/fBEXTHhaTEEER71RM4I13:0eaj9bHmMbkBHVdGE1Sy/ujhaIh+1

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	2984	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2984	schtasks.exe	86

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3588-1-0x0000000000360000-0x00000000004EE000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c85-28.dat	dcrat
behavioral2/files/0x000c000000023b36-77.dat	dcrat
behavioral2/files/0x000b000000023c85-134.dat	dcrat
behavioral2/files/0x0009000000023c90-145.dat	dcrat
behavioral2/files/0x0009000000023c96-157.dat	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe

Executes dropped EXE 1 IoCs

pid	Process
2160	System.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\browser\features\27d1bcfc3c54e0	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backgroundTaskHost.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\winlogon.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXB747.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Windows Mail\0a1fd5f707cd16	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXAFBE.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXB242.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXB746.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\System.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Windows Mail\sppsvc.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\System.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\eddb19405b7ce1	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files\MSBuild\RuntimeBroker.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\RCXB94D.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\sppsvc.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\121e5b5079f7c0	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXAAF8.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXB03C.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\RCXB94C.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXBBCF.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\c77a9bce03d3e3	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Windows Mail\winlogon.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXB241.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Windows Mail\cc11b995f2a76d	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files\MSBuild\9e8d7a4ca61bd9	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files\MSBuild\RCXB4C3.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files\MSBuild\RCXB4C4.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files\MSBuild\RuntimeBroker.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backgroundTaskHost.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXAAF7.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXBB51.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ShellComponents\fontdrvhost.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Windows\ShellComponents\fontdrvhost.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Windows\ShellComponents\5b884080fd4f94	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Windows\ShellComponents\RCXADA9.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Windows\ShellComponents\RCXADAA.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3084	schtasks.exe
3008	schtasks.exe
4360	schtasks.exe
2248	schtasks.exe
3328	schtasks.exe
1640	schtasks.exe
4764	schtasks.exe
3704	schtasks.exe
1984	schtasks.exe
1548	schtasks.exe
3112	schtasks.exe
2836	schtasks.exe
620	schtasks.exe
380	schtasks.exe
2312	schtasks.exe
3608	schtasks.exe
820	schtasks.exe
2828	schtasks.exe
1020	schtasks.exe
2580	schtasks.exe
3020	schtasks.exe
548	schtasks.exe
3288	schtasks.exe
664	schtasks.exe
4788	schtasks.exe
1352	schtasks.exe
924	schtasks.exe
2716	schtasks.exe
784	schtasks.exe
928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe
2160	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
Token: SeDebugPrivilege	2160	System.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 2160	3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe	126
PID 3588 wrote to memory of 2160	3588	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
"C:\Users\Admin\AppData\Local\Temp\8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Program Files\Mozilla Firefox\browser\features\System.exe
  "C:\Program Files\Mozilla Firefox\browser\features\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellComponents\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ShellComponents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellComponents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N8" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N8" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\features\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\browser\features\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backgroundTaskHost.exe

Filesize
1.5MB

MD5
7d47f5ce43632d1c27bf8c2ab80e6889

SHA1
a10d1f21d3995f5d95a67d9c9006529fee2d1496

SHA256
57947d8c056fc3e205e48a45563bfa012aa011bc918093833e78c7f20c7ed183

SHA512
88395e8532c521a0a7f4c3b9556d394ece9b92d952832280597a3cabc13c0b5414d6437ee8572b45de2bd1949e7d1df1ae1da235c53d6d2f676b91c83d2d3423

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe

Filesize
1.5MB

MD5
f06fb50c3fbb70266f3baedd6130195f

SHA1
49fa614a3e3065644de3de77934e6a7008ce21b3

SHA256
6e0a751794d9d5354a057f26109cf95b86374d2280caab1352e61abe7d3dd500

SHA512
85b34ad66e1fee70a4644b03943c3ac5ce392728f7fde70da2680daa7f2ac8839315953f5fb105e7bb1920ad30ef15091c8589bc2fe600a2b53d4b1439148bde

Download Submit
C:\Program Files\MSBuild\RuntimeBroker.exe

Filesize
1.5MB

MD5
8f7fa3b34b52d77c923711a5b6510df0

SHA1
171914ec44b3bb7062f5b21bf5f628c9c1aa2b48

SHA256
8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955

SHA512
68d82717828e8ed1598e8599c39b0898bd7f4a11fadf232e5cc58ffd21028fa61ac351f0dc9135ecbe7a42758ec301a73ac4c06c3c3678c7ecb0d2837a756d63

Download Submit
C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
1.5MB

MD5
ca9f5fb8ee4a04d64b681554d3d33296

SHA1
504b7a4b7404ca3ea77c6b62fd0ef4b15d953401

SHA256
cbbbcb163a1500eb9c4b8662ffa3940fa682ea6f6599a6cf477f60497a97fea2

SHA512
5540271ef221743f1f16da75b69f1e4e42085ea538eb5fb417e8b88dae8383d5fce8a714cf545fe75dab340edcc74a1d11fbe4540212b7cbfc554ff4da6b19a9

Download Submit
C:\Recovery\WindowsRE\winlogon.exe

Filesize
1.5MB

MD5
50e6c6f264c838b4612e976bfef7243f

SHA1
bb0d10564d60fa570519817789ffc71b749c1438

SHA256
2c72bebcf97e477ada621837d2bc0e90a841accc14ebb1879cbfc72066ebae75

SHA512
e2c74f92213616a06c64bd434a08e042fbf2914e6c8fb0662dae3e40e067e8d247e49ac53318d2c63b74c916694a03524de9d647219ed1852482d1985722c960

Download Submit
memory/3588-15-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/3588-17-0x000000001BA30000-0x000000001BA3A000-memory.dmp

Filesize
40KB

Download
memory/3588-5-0x000000001B110000-0x000000001B118000-memory.dmp

Filesize
32KB

Download
memory/3588-4-0x000000001B680000-0x000000001B6D0000-memory.dmp

Filesize
320KB

Download
memory/3588-9-0x000000001B160000-0x000000001B168000-memory.dmp

Filesize
32KB

Download
memory/3588-12-0x000000001B6E0000-0x000000001B6EC000-memory.dmp

Filesize
48KB

Download
memory/3588-11-0x000000001B6D0000-0x000000001B6D8000-memory.dmp

Filesize
32KB

Download
memory/3588-0-0x00007FFA07DA3000-0x00007FFA07DA5000-memory.dmp

Filesize
8KB

Download
memory/3588-14-0x000000001BA00000-0x000000001BA08000-memory.dmp

Filesize
32KB

Download
memory/3588-13-0x000000001B8F0000-0x000000001B8FE000-memory.dmp

Filesize
56KB

Download
memory/3588-16-0x000000001BA20000-0x000000001BA28000-memory.dmp

Filesize
32KB

Download
memory/3588-7-0x000000001B130000-0x000000001B146000-memory.dmp

Filesize
88KB

Download
memory/3588-20-0x00007FFA07DA0000-0x00007FFA08861000-memory.dmp

Filesize
10.8MB

Download
memory/3588-21-0x00007FFA07DA0000-0x00007FFA08861000-memory.dmp

Filesize
10.8MB

Download
memory/3588-8-0x000000001B150000-0x000000001B160000-memory.dmp

Filesize
64KB

Download
memory/3588-6-0x000000001B120000-0x000000001B130000-memory.dmp

Filesize
64KB

Download
memory/3588-3-0x0000000002610000-0x000000000262C000-memory.dmp

Filesize
112KB

Download
memory/3588-2-0x00007FFA07DA0000-0x00007FFA08861000-memory.dmp

Filesize
10.8MB

Download
memory/3588-154-0x00007FFA07DA3000-0x00007FFA07DA5000-memory.dmp

Filesize
8KB

Download
memory/3588-1-0x0000000000360000-0x00000000004EE000-memory.dmp

Filesize
1.6MB

Download
memory/3588-160-0x00007FFA07DA0000-0x00007FFA08861000-memory.dmp

Filesize
10.8MB

Download
memory/3588-221-0x00007FFA07DA0000-0x00007FFA08861000-memory.dmp

Filesize
10.8MB

Download