dcrat | 751e5d8fa3c24e92182df81b7147ca879e9bb89a545773ea142a45b012ca4efa

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_751e5d8fa3c24e92182df81b7147ca879e9bb89a545773ea142a45b012ca4efa.exe
Size

1.3MB
MD5

8cc808a05e3bcd02ce28c989bba8f871
SHA1

4328900a4a37cfc8d4c98e20aa38efcc8644c9ec
SHA256

751e5d8fa3c24e92182df81b7147ca879e9bb89a545773ea142a45b012ca4efa
SHA512

101072978bfde018731b723039c3ebbad5ff1b09fdd61644bd62c37a5be54d6b71ae124febde81a82a3e074a942fb5389ebc838118b1b682653f1f0a3163c5f6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2644	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2644	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2644	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2644	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2644	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2644	schtasks.exe	35

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000018bf3-10.dat	dcrat
behavioral1/memory/2628-13-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/344-45-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat
behavioral1/memory/2140-342-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2656	powershell.exe
3068	powershell.exe
3012	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2628	DllCommonsvc.exe
344	smss.exe
1488	smss.exe
2940	smss.exe
2584	smss.exe
276	smss.exe
2140	smss.exe
1948	smss.exe
1180	smss.exe
1312	smss.exe
2264	smss.exe
2748	smss.exe
1636	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2216	cmd.exe
2216	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
40	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_751e5d8fa3c24e92182df81b7147ca879e9bb89a545773ea142a45b012ca4efa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2844	schtasks.exe
2860	schtasks.exe
3064	schtasks.exe
2296	schtasks.exe
2536	schtasks.exe
2592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2628	DllCommonsvc.exe
2628	DllCommonsvc.exe
2628	DllCommonsvc.exe
2628	DllCommonsvc.exe
2628	DllCommonsvc.exe
3012	powershell.exe
3068	powershell.exe
2656	powershell.exe
344	smss.exe
1488	smss.exe
2940	smss.exe
2584	smss.exe
276	smss.exe
2140	smss.exe
1948	smss.exe
1180	smss.exe
1312	smss.exe
2264	smss.exe
2748	smss.exe
1636	smss.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	DllCommonsvc.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	344	smss.exe
Token: SeDebugPrivilege	1488	smss.exe
Token: SeDebugPrivilege	2940	smss.exe
Token: SeDebugPrivilege	2584	smss.exe
Token: SeDebugPrivilege	276	smss.exe
Token: SeDebugPrivilege	2140	smss.exe
Token: SeDebugPrivilege	1948	smss.exe
Token: SeDebugPrivilege	1180	smss.exe
Token: SeDebugPrivilege	1312	smss.exe
Token: SeDebugPrivilege	2264	smss.exe
Token: SeDebugPrivilege	2748	smss.exe
Token: SeDebugPrivilege	1636	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2072	3044	JaffaCakes118_751e5d8fa3c24e92182df81b7147ca879e9bb89a545773ea142a45b012ca4efa.exe	30
PID 3044 wrote to memory of 2072	3044	JaffaCakes118_751e5d8fa3c24e92182df81b7147ca879e9bb89a545773ea142a45b012ca4efa.exe	30
PID 3044 wrote to memory of 2072	3044	JaffaCakes118_751e5d8fa3c24e92182df81b7147ca879e9bb89a545773ea142a45b012ca4efa.exe	30
PID 3044 wrote to memory of 2072	3044	JaffaCakes118_751e5d8fa3c24e92182df81b7147ca879e9bb89a545773ea142a45b012ca4efa.exe	30
PID 2072 wrote to memory of 2216	2072	WScript.exe	32
PID 2072 wrote to memory of 2216	2072	WScript.exe	32
PID 2072 wrote to memory of 2216	2072	WScript.exe	32
PID 2072 wrote to memory of 2216	2072	WScript.exe	32
PID 2216 wrote to memory of 2628	2216	cmd.exe	34
PID 2216 wrote to memory of 2628	2216	cmd.exe	34
PID 2216 wrote to memory of 2628	2216	cmd.exe	34
PID 2216 wrote to memory of 2628	2216	cmd.exe	34
PID 2628 wrote to memory of 2656	2628	DllCommonsvc.exe	42
PID 2628 wrote to memory of 2656	2628	DllCommonsvc.exe	42
PID 2628 wrote to memory of 2656	2628	DllCommonsvc.exe	42
PID 2628 wrote to memory of 3012	2628	DllCommonsvc.exe	43
PID 2628 wrote to memory of 3012	2628	DllCommonsvc.exe	43
PID 2628 wrote to memory of 3012	2628	DllCommonsvc.exe	43
PID 2628 wrote to memory of 3068	2628	DllCommonsvc.exe	44
PID 2628 wrote to memory of 3068	2628	DllCommonsvc.exe	44
PID 2628 wrote to memory of 3068	2628	DllCommonsvc.exe	44
PID 2628 wrote to memory of 2060	2628	DllCommonsvc.exe	48
PID 2628 wrote to memory of 2060	2628	DllCommonsvc.exe	48
PID 2628 wrote to memory of 2060	2628	DllCommonsvc.exe	48
PID 2060 wrote to memory of 1364	2060	cmd.exe	50
PID 2060 wrote to memory of 1364	2060	cmd.exe	50
PID 2060 wrote to memory of 1364	2060	cmd.exe	50
PID 2060 wrote to memory of 344	2060	cmd.exe	51
PID 2060 wrote to memory of 344	2060	cmd.exe	51
PID 2060 wrote to memory of 344	2060	cmd.exe	51
PID 344 wrote to memory of 1952	344	smss.exe	52
PID 344 wrote to memory of 1952	344	smss.exe	52
PID 344 wrote to memory of 1952	344	smss.exe	52
PID 1952 wrote to memory of 2012	1952	cmd.exe	54
PID 1952 wrote to memory of 2012	1952	cmd.exe	54
PID 1952 wrote to memory of 2012	1952	cmd.exe	54
PID 1952 wrote to memory of 1488	1952	cmd.exe	55
PID 1952 wrote to memory of 1488	1952	cmd.exe	55
PID 1952 wrote to memory of 1488	1952	cmd.exe	55
PID 1488 wrote to memory of 264	1488	smss.exe	56
PID 1488 wrote to memory of 264	1488	smss.exe	56
PID 1488 wrote to memory of 264	1488	smss.exe	56
PID 264 wrote to memory of 2072	264	cmd.exe	58
PID 264 wrote to memory of 2072	264	cmd.exe	58
PID 264 wrote to memory of 2072	264	cmd.exe	58
PID 264 wrote to memory of 2940	264	cmd.exe	59
PID 264 wrote to memory of 2940	264	cmd.exe	59
PID 264 wrote to memory of 2940	264	cmd.exe	59
PID 2940 wrote to memory of 3016	2940	smss.exe	60
PID 2940 wrote to memory of 3016	2940	smss.exe	60
PID 2940 wrote to memory of 3016	2940	smss.exe	60
PID 3016 wrote to memory of 2320	3016	cmd.exe	62
PID 3016 wrote to memory of 2320	3016	cmd.exe	62
PID 3016 wrote to memory of 2320	3016	cmd.exe	62
PID 3016 wrote to memory of 2584	3016	cmd.exe	63
PID 3016 wrote to memory of 2584	3016	cmd.exe	63
PID 3016 wrote to memory of 2584	3016	cmd.exe	63
PID 2584 wrote to memory of 844	2584	smss.exe	64
PID 2584 wrote to memory of 844	2584	smss.exe	64
PID 2584 wrote to memory of 844	2584	smss.exe	64
PID 844 wrote to memory of 1288	844	cmd.exe	66
PID 844 wrote to memory of 1288	844	cmd.exe	66
PID 844 wrote to memory of 1288	844	cmd.exe	66
PID 844 wrote to memory of 276	844	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_751e5d8fa3c24e92182df81b7147ca879e9bb89a545773ea142a45b012ca4efa.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_751e5d8fa3c24e92182df81b7147ca879e9bb89a545773ea142a45b012ca4efa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qIrWsk3UDC.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1364
      - C:\Users\All Users\smss.exe
        
        "C:\Users\All Users\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2012
        
        C:\Users\All Users\smss.exe
        
        "C:\Users\All Users\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2072
        
        C:\Users\All Users\smss.exe
        
        "C:\Users\All Users\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2320
        
        C:\Users\All Users\smss.exe
        
        "C:\Users\All Users\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1288
        
        C:\Users\All Users\smss.exe
        
        "C:\Users\All Users\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
        15⤵
        
        PID:1644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1548
        
        C:\Users\All Users\smss.exe
        
        "C:\Users\All Users\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"
        17⤵
        
        PID:2312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1740
        
        C:\Users\All Users\smss.exe
        
        "C:\Users\All Users\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat"
        19⤵
        
        PID:444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2888
        
        C:\Users\All Users\smss.exe
        
        "C:\Users\All Users\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
        21⤵
        
        PID:900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2100
        
        C:\Users\All Users\smss.exe
        
        "C:\Users\All Users\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"
        23⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1624
        
        C:\Users\All Users\smss.exe
        
        "C:\Users\All Users\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
        25⤵
        
        PID:2060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1984
        
        C:\Users\All Users\smss.exe
        
        "C:\Users\All Users\smss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        27⤵
        
        PID:1036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:344
        
        C:\Users\All Users\smss.exe
        
        "C:\Users\All Users\smss.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e140bde7c751cada55e85d3f9d82f31

SHA1
4061ff5b825e4db15192c752f6aebd20f12eab48

SHA256
b9da37ccb523d9f9ff4b34a6362cc1ba75e9eac83f2c96fedae4f42c0498d279

SHA512
18adb1fd97a663d27473170a6ed2ec7e1324d59c2a1bd833514539d8827182376846870ab3dba748dc86a4860754c1c6fd0d289bcf96dc72e796bbe3b2c7131b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2672386200c0c9cde6abccb140e7c945

SHA1
0613792b3de8a6fbc258d21314dd93a41a4ef078

SHA256
8525098d50c2062c162b9927db6f503cccc8793daa1599765176ca0c5b622ff7

SHA512
858b5487146ebb6abff2f5ca33e289f521675f42a45bd9429a10ef7e0579ddd0a8a7e1e9acc40236e8326f51624039953aee9235746b0bb6f76ee95bcba5df8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a1d1856eca44b8d6162cf45c89dd206

SHA1
67b63eb2ae06965f868b37e3e02caec3bd5cebc1

SHA256
c8ca3da6ef15f2b97681a1c06497f646c336dec541d8df49d0efc366ceac9ed9

SHA512
d7bf392ff1a0b6ab8166301beb4bb2c4babed0e6cd28d329af85980ec1198f918284bcb2ee3238ae89c1fea8f1c60164b8b7f53ad69889aecc403b6577d78a0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9bea686e8bc8bb26a167dfc53673bfd6

SHA1
1594827d0487008ef52d8c787c24d6ba97a32992

SHA256
7668e4ef477b055dde7f8094f7ca91838bbf3186e8a8d79ae1bd966baf541bf3

SHA512
c218a971ae10cafcccc1cd688a4699d85f557b50f5eaa5ebff2102cc1c163ebe9cdeccfc7ffb087265627a33b9b4147d1fee54dbcb968e2db32feada0e53b4cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ba26bc5e3ff8f4c0de025142f0b0488

SHA1
0700a3bbd40310919252ecd4817e7d85fe0a160d

SHA256
a78fa7337a4cf2aa1dc1dc136dc7601e0eaf97c3de03c42cbec7b73f27bcd753

SHA512
1fba82da650e7212fc24cd300cba7bb514d37496de9c88f00b85d6d6adac81f67eb3f7bd6130d90e29043325840e8be1c70e6fc6b592bcd47917a50c4199a0da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c657e55163ef4d5e49d8f36f848bffd

SHA1
0be24f98a716ea0fbf33e7bb09ff7c7cc72d993d

SHA256
f0c426ac54d09bb3a30e4817167391a4149c16aed79bcd86141cddfd4ffd5ec0

SHA512
6abbc270e3c24a61d4f8a438d12d77f4dce5589a2ba3fe10aac5d4f212c78e5479a3c8aac89456367346f7a4423c5db8cbd26b44d8708db3871f6eb1b08fb75e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
490a567d297a0d19f4f1dcf44d69d52e

SHA1
0bdd6bbd6e8e5dfe0ea19802a8bfe1ba57a66ac2

SHA256
313ef6add7beb9d7f317ccdc12ef97f18a40d0d2e05588225b9b63eda5425a23

SHA512
4ccd374ef4e96fcaacb853f9c6daf323ad2d4e22bdf7a7b9f0801316a0e9d15507e92c128381f4aa25880f689e22daa0ca7a319e0850915b9d4ce4aebaa0b9ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ab8e60d4e47c1b0dfbca78af9f34f4e

SHA1
e4dda7931de57a6a8b7cb56c14b081265d38120a

SHA256
905a4e598698cc4d57281005ce1744bac465d1af0229b6cd68b8f4049658010e

SHA512
1bb04fe975dff2ed4cbc05a9ebd9425e79344f1efcde4b2d0d2a3889b92f2afd9ae7df8bff458b5cb55908dfc67a1227a66c677b579b3339d00f2235013ee880

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1dfdc80859f1ed2b9b40171b1ac623c

SHA1
059bcbe787e4ccb558f74a2afc85cea5544e8cdd

SHA256
361a00736100cf78af27d24969b394e1911a4fe11bd3c6d602a3c478d3addad5

SHA512
99ff2b009d9e58bb6713907ca7781afee15e08b7533fd50968112a10e7852860be7a6ef9f65aa43221ea3f1a1fab27a693c38b3b6d9029bb2254a1b7019d34a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aff2a9b85c741a327ea92f8d931ae7da

SHA1
31a5873dd6fad2a7caf7106523138c3c1fa0fe2b

SHA256
e5c3ee3fecadc78f5960d30de7c7dad1a99177b134d7b7ee85243c3676c1ee22

SHA512
c6a4556c714a95b19a23c01d11495dea2da30cee6d9458d9e2cbb82a1dde5f8bc20c5e227f99950ae5c40ebba11da3b614a973c8fd3bbd7b76396de29334f06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

Filesize
192B

MD5
2c9663e267336777d899acc09a2ec02c

SHA1
7af17b1d16f014a30701f6d6b27c2a9df31ed91d

SHA256
af8a6ab074e32aa5b2c62f09fa03396665b8ac74ec02eb5aa30c2347d4e0d23b

SHA512
b883083547d4f8e8409bdb5c20b4eb734ce0c9cf2a5fda89cb0fe2086e02a07eddb4588b751c057d6580154184b5dce319f80349e0ae1801309fa2a162b63f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat

Filesize
192B

MD5
dc3d0481d6f7dc40c7400649e8ecd326

SHA1
0c05c100593f959aa83d2a49ea6a21e7dfc7d272

SHA256
cb40901f8e651fb17fde4e608815000bf55d778c14e73a44cf2db859bf4f32d9

SHA512
2282c8a853fa1792be03a4aaac9f1ff9ff0036b658ca06b3ee8a786973ea0f080713f4dad70baa3279b576dfd16828ad8351ca7943a055025acdecca565c04bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat

Filesize
192B

MD5
be7cb273f563ee00ecb7eae11b05bb93

SHA1
ce7203f5dcebd86c2ff37036f45852c1ac677375

SHA256
7fa440f2f9e1e1bc5fa4c20c95f9efed726a3ba7e9c1ca90cb2ca9c1dc5a3843

SHA512
bdaa7e5eda50c30e6a20fd72ef067445696eb37ce53cca266f5a1089b7aa05c31c403f85e113df9cfe53796a81099eeff6fe166169b6a50c585a4c3ea668cfc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF6C0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat

Filesize
192B

MD5
a65154305e466f372f3b09650922809e

SHA1
4457448e59cf4b6f4de72941f1117e12f7f46287

SHA256
539cc9aaa21b7f926bb17acc92803bb271571f3e230376ad135f97bd109233c5

SHA512
6ed28371f0b466224fa00e151372fe8efd50a0c27a460f368cefb060a14e028ebad2c71d893c8e4d8ff061a21d0e47bc516b5df238a6f7e6a909497df4d1c835

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF6E2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

Filesize
192B

MD5
ab37526ad7791f20f2968ffcd300e34b

SHA1
7ab8005435ab6c2b81559f57ea938cc3f1d69e9c

SHA256
3eb9d46c5410a0ce2c8e2decec800f8d4932010d6e33f7a315b780d52dcbf06d

SHA512
031ca9b8b076dd189fa9d18486c9ba8f14f5cc76d8fdaa5302122418c84b9218987481266673ad920299d54c647928767da8da40f6d59c0cf645aa3bf7a17a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

Filesize
192B

MD5
ea93897765e0c3e77341b139c5cd6e7b

SHA1
5c33cc04e065ac8b063cb178e40102118dbc3f7f

SHA256
9d7ec97bd60d092650abb5f74367120a57e4a0d4974dfd9028319026d6f5c29b

SHA512
0f9ed520d1a1bfbbb7b42057ac5179476567f8073c1fdd6a95c348939c3ec365bb688eefb392d195794876549a7b833433a4c2c2c9d7d6462249b6a2ceaa6ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
192B

MD5
70e3345a5f20ea9408c31288e667b452

SHA1
8df2e069e64ba81dc871f17707cbd438aaa76481

SHA256
7a683ef74e804ec8a0ddde619533df90f3d0103b6c31d0849894fd40ba63a9e6

SHA512
7e5a4a2d949a44c892b9cd5197294b48ebab1a3fa7f62cb8ebec472e17873ca38495a97e6f5e0188b66e9e4b8e1157b99a84741b28d6e15585cd055c14e35223

Download Submit
C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat

Filesize
192B

MD5
987ad9b95ee7b1408da47da2768e97a0

SHA1
30135c77e5f85a412cb17f8e5f50af6244e7b7de

SHA256
08b05eb99be92871d026a6911b0963d4231ecf8cb410292310b6043bbe72bfe5

SHA512
1f498ef3ad2f93ce778ee51810191ec6b5f728f514b77a3e8dd8a1fa19262de31c0f82e9edbc6b669e48a74d41a3211638c829ed2c878d27a30f1547847e6f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIrWsk3UDC.bat

Filesize
192B

MD5
e6a74151e5935ac7ba488885759ee2e9

SHA1
58b6358cabf8da4c6a91676633502d61adae1a98

SHA256
94725590d7917a0316541d1dced870954a81c575e866fec11c60d6c0e545a8ad

SHA512
31fb91fe98ee7824f5bc63ce6722384a342630c2c16a5152e9334fe9f0b2b68402fbc2ff43b3b17729b66bfc913d04b4c798078a78ebf9cfa37aa61701866d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

Filesize
192B

MD5
607f8ebcc7b0e6fce103c97a7f05c49e

SHA1
a3c90f240133d6e430e5b98a613f6725142219cb

SHA256
330e02024bd760531c7a5aa7c805338c7823c068ae9715e3d9a882c747fa70b6

SHA512
daa58adbb860605811e84994a679ec1065372b051439120231b499f79a83444e9351820afcdfb705841e4f2970f4cbe2b5cb87d81b8f4cc742705af13184379f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat

Filesize
192B

MD5
15683cdf59a2c4339dd2b90b16115225

SHA1
ce02505bf2113e45c9d2861fb13283bd9b7f2916

SHA256
1b6a41bd1f7199fb7bb526eacaa2fbf9f3289919cedc5e82970f0e60a9c3cb82

SHA512
6c997ff92e1c61d0ed6ce13cb4176ad61cedcb193011ebff1c9143d84d603a2395f5fc2000100181a93e43e4d4536992dac8649ac797dc9b4ed04752f0baf1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat

Filesize
192B

MD5
b48b7b91729b53d5b9137a46bdf5db2d

SHA1
d76c6c347ba2e11d652e9097f9e6bbf1a88b5e7d

SHA256
f7bafd170cbf4eb0846e8c715d86cbd44342ae1b224fc66059cae908ecc476b9

SHA512
14f673a25b5d43b81a3b3076360e30a59a2ae15052f29a495852eb019056abe9e7cd55ec52e9040d5b90d6825a741ef6c0653cb5ee94b3be62a20892abac14cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6dd6a3e93c489cfed71bc8d17ffaf90d

SHA1
10a9875ba38264b9ef5f2bc510e7989da1b9d4e5

SHA256
8ef8143e2cea1b03026e8a0a8197c2e4bb5900a6a55c5e2587de1ab9a858a53b

SHA512
1978288946fcc61d265d113f9324ed73e848afad4c81fd86dd1c0035af3ea712d6f836af886541bb3ab313c87005279ab774127f00f0ec5e7fbb6055b86be073

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/344-45-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/344-46-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2140-342-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/2584-223-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2628-14-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2628-13-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/2628-15-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2628-16-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2628-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/3012-41-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/3012-42-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download