dcrat | 997250896c5d917f93e0e225f46c30d7d0b7f1d6500e5b02b523fd9f831f8037

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_997250896c5d917f93e0e225f46c30d7d0b7f1d6500e5b02b523fd9f831f8037.exe
Size

1.3MB
MD5

1d3725f57deef2382ccc3748e94ba9a1
SHA1

0e900b6e418e25658039640ad970fc686e75a963
SHA256

997250896c5d917f93e0e225f46c30d7d0b7f1d6500e5b02b523fd9f831f8037
SHA512

e0f751c197595fea11635d24d93b0f66ee2aa39ac85ef6ddbc43574c07fe8983e022438c2c2e32d05868764fc12759008a43c99845f8f02de43273d1b377dbe9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2924	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2924	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2924	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2924	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2924	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2924	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015ec9-10.dat	dcrat
behavioral1/memory/2180-13-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat
behavioral1/memory/2316-43-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/2968-220-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/1984-516-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/2828-577-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/2392-637-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2736	powershell.exe
2336	powershell.exe
2572	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2180	DllCommonsvc.exe
2316	taskhost.exe
892	taskhost.exe
2272	taskhost.exe
2968	taskhost.exe
1304	taskhost.exe
1924	taskhost.exe
3012	taskhost.exe
1628	taskhost.exe
1984	taskhost.exe
2828	taskhost.exe
2392	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2580	cmd.exe
2580	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_997250896c5d917f93e0e225f46c30d7d0b7f1d6500e5b02b523fd9f831f8037.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2732	schtasks.exe
2084	schtasks.exe
2984	schtasks.exe
2728	schtasks.exe
2620	schtasks.exe
2660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2180	DllCommonsvc.exe
2736	powershell.exe
2336	powershell.exe
2572	powershell.exe
2316	taskhost.exe
892	taskhost.exe
2272	taskhost.exe
2968	taskhost.exe
1304	taskhost.exe
1924	taskhost.exe
3012	taskhost.exe
1628	taskhost.exe
1984	taskhost.exe
2828	taskhost.exe
2392	taskhost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	DllCommonsvc.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2316	taskhost.exe
Token: SeDebugPrivilege	892	taskhost.exe
Token: SeDebugPrivilege	2272	taskhost.exe
Token: SeDebugPrivilege	2968	taskhost.exe
Token: SeDebugPrivilege	1304	taskhost.exe
Token: SeDebugPrivilege	1924	taskhost.exe
Token: SeDebugPrivilege	3012	taskhost.exe
Token: SeDebugPrivilege	1628	taskhost.exe
Token: SeDebugPrivilege	1984	taskhost.exe
Token: SeDebugPrivilege	2828	taskhost.exe
Token: SeDebugPrivilege	2392	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2916	2168	JaffaCakes118_997250896c5d917f93e0e225f46c30d7d0b7f1d6500e5b02b523fd9f831f8037.exe	30
PID 2168 wrote to memory of 2916	2168	JaffaCakes118_997250896c5d917f93e0e225f46c30d7d0b7f1d6500e5b02b523fd9f831f8037.exe	30
PID 2168 wrote to memory of 2916	2168	JaffaCakes118_997250896c5d917f93e0e225f46c30d7d0b7f1d6500e5b02b523fd9f831f8037.exe	30
PID 2168 wrote to memory of 2916	2168	JaffaCakes118_997250896c5d917f93e0e225f46c30d7d0b7f1d6500e5b02b523fd9f831f8037.exe	30
PID 2916 wrote to memory of 2580	2916	WScript.exe	31
PID 2916 wrote to memory of 2580	2916	WScript.exe	31
PID 2916 wrote to memory of 2580	2916	WScript.exe	31
PID 2916 wrote to memory of 2580	2916	WScript.exe	31
PID 2580 wrote to memory of 2180	2580	cmd.exe	33
PID 2580 wrote to memory of 2180	2580	cmd.exe	33
PID 2580 wrote to memory of 2180	2580	cmd.exe	33
PID 2580 wrote to memory of 2180	2580	cmd.exe	33
PID 2180 wrote to memory of 2736	2180	DllCommonsvc.exe	41
PID 2180 wrote to memory of 2736	2180	DllCommonsvc.exe	41
PID 2180 wrote to memory of 2736	2180	DllCommonsvc.exe	41
PID 2180 wrote to memory of 2336	2180	DllCommonsvc.exe	42
PID 2180 wrote to memory of 2336	2180	DllCommonsvc.exe	42
PID 2180 wrote to memory of 2336	2180	DllCommonsvc.exe	42
PID 2180 wrote to memory of 2572	2180	DllCommonsvc.exe	43
PID 2180 wrote to memory of 2572	2180	DllCommonsvc.exe	43
PID 2180 wrote to memory of 2572	2180	DllCommonsvc.exe	43
PID 2180 wrote to memory of 2004	2180	DllCommonsvc.exe	47
PID 2180 wrote to memory of 2004	2180	DllCommonsvc.exe	47
PID 2180 wrote to memory of 2004	2180	DllCommonsvc.exe	47
PID 2004 wrote to memory of 3040	2004	cmd.exe	49
PID 2004 wrote to memory of 3040	2004	cmd.exe	49
PID 2004 wrote to memory of 3040	2004	cmd.exe	49
PID 2004 wrote to memory of 2316	2004	cmd.exe	51
PID 2004 wrote to memory of 2316	2004	cmd.exe	51
PID 2004 wrote to memory of 2316	2004	cmd.exe	51
PID 2316 wrote to memory of 1960	2316	taskhost.exe	52
PID 2316 wrote to memory of 1960	2316	taskhost.exe	52
PID 2316 wrote to memory of 1960	2316	taskhost.exe	52
PID 1960 wrote to memory of 1952	1960	cmd.exe	54
PID 1960 wrote to memory of 1952	1960	cmd.exe	54
PID 1960 wrote to memory of 1952	1960	cmd.exe	54
PID 1960 wrote to memory of 892	1960	cmd.exe	55
PID 1960 wrote to memory of 892	1960	cmd.exe	55
PID 1960 wrote to memory of 892	1960	cmd.exe	55
PID 892 wrote to memory of 2920	892	taskhost.exe	56
PID 892 wrote to memory of 2920	892	taskhost.exe	56
PID 892 wrote to memory of 2920	892	taskhost.exe	56
PID 2920 wrote to memory of 2420	2920	cmd.exe	58
PID 2920 wrote to memory of 2420	2920	cmd.exe	58
PID 2920 wrote to memory of 2420	2920	cmd.exe	58
PID 2920 wrote to memory of 2272	2920	cmd.exe	59
PID 2920 wrote to memory of 2272	2920	cmd.exe	59
PID 2920 wrote to memory of 2272	2920	cmd.exe	59
PID 2272 wrote to memory of 1156	2272	taskhost.exe	60
PID 2272 wrote to memory of 1156	2272	taskhost.exe	60
PID 2272 wrote to memory of 1156	2272	taskhost.exe	60
PID 1156 wrote to memory of 2572	1156	cmd.exe	62
PID 1156 wrote to memory of 2572	1156	cmd.exe	62
PID 1156 wrote to memory of 2572	1156	cmd.exe	62
PID 1156 wrote to memory of 2968	1156	cmd.exe	63
PID 1156 wrote to memory of 2968	1156	cmd.exe	63
PID 1156 wrote to memory of 2968	1156	cmd.exe	63
PID 2968 wrote to memory of 1248	2968	taskhost.exe	64
PID 2968 wrote to memory of 1248	2968	taskhost.exe	64
PID 2968 wrote to memory of 1248	2968	taskhost.exe	64
PID 1248 wrote to memory of 1656	1248	cmd.exe	66
PID 1248 wrote to memory of 1656	1248	cmd.exe	66
PID 1248 wrote to memory of 1656	1248	cmd.exe	66
PID 1248 wrote to memory of 1304	1248	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_997250896c5d917f93e0e225f46c30d7d0b7f1d6500e5b02b523fd9f831f8037.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_997250896c5d917f93e0e225f46c30d7d0b7f1d6500e5b02b523fd9f831f8037.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\suxlltqCa3.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3040
      - C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1952
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2420
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2572
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1656
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat"
        15⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1584
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
        17⤵
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2644
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"
        19⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1632
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"
        21⤵
        
        PID:1012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1884
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"
        23⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1492
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
        25⤵
        
        PID:572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1152
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74eabf7cee18c09bff80661e52adcfd8

SHA1
45dd6401a8eac71f712a61b21ec61872b8f03372

SHA256
9f2db1c7ab6e4955a6c7ad62424777e28ff811a7ada3c3c0be87940cecc14101

SHA512
2db0b36a2304f2c94c52721dd9d24825fc4e4d254c134d1012f81e23c5636ccdfb5d36c547d0a2b187839386f2c8c34a8da551e26a8c9c52c5bd2a064be80c4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65db7a3b160a9595c585137d651e4c16

SHA1
d7349ad78fd24ee79aa153f5766754716ba37c9c

SHA256
f2bdc70b4475284c35eb2646201d76f5ff3645bb8a2fa83264779847ecf7eae4

SHA512
f231e006ad66052b92785aeabd87bc22f40fd19e94585d095ba2927306054dcbaa8c3f05c0d80b2705b86f59f9f930f4497fb5dea9f0a35dd77b4cf26fa8409a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21e08ea353f3859bd438f47f533ab2fb

SHA1
446bdda10a32c384c45f3b9342a709e0965988ec

SHA256
80d4c647950a62a7f52ca8ceddf77796c22a49c2d22030f4bc61e42e01017d97

SHA512
d46ee87163cbfeb65e809525fe6afc358a739269fdd26ed9263b07bb7370792413243640c94df482a83e9edd925097f73ac3ad6552afead7daf64150b1364415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79347db931067cf8197b903f818e7678

SHA1
ac265bb1f748fd375d4839ad3e4be45889588b52

SHA256
8b117f39b780b19fdd1a2b330788e8ef526662fc81a4ad6b0b9b3379f2daeb6e

SHA512
d25dab742f7bbd3d09937048163d6734d876f59816ce3461a1b6537fe7fd5f71e6e2d04cdcfb96c06e8279d7a428fb5d1c422e90d09529967b7be633dc182adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2aab5e1448e602b0696db4f71acd06fe

SHA1
be7e6f6bd3e623018c1a7d6141e3b3930ac7fd10

SHA256
427e4f7b7542648aacfcdbb0e215a2f42350d5cbefa0920f02f5b8b1393618a1

SHA512
35f11162c249cb360320dbe9645b1ea92419cb07a043178171924303a56adbd54eca31779e79011e43a79e84b7abd15598ffcd0c17ef97a795cb39abe0d6a27c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75e074b0a16b1ea2834f9cc9f0d320c1

SHA1
fa4bf2f81f0c8b0eef6f59a5d23da6571d60d806

SHA256
5c25da92f1b5fe3f9cc13dade16c67d81282e1a665ba4a5c7fc035dd58ca756c

SHA512
2d26378ffd2de677c51871f5816f7b31b085f70d6e2403ddc197018314870b2bfad468aeab347ebd288803895eff7dd33a26f9899c015a6309a13340d6ff6a0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f23ea38cc475ee3f3215b9a2c384f0c

SHA1
e31c9525407a972ce8dc3d47d6166def9ee87edb

SHA256
4ca31d0e817d14fa6af099a376ae7a90cbcf79e403284038763d4239cf959b7f

SHA512
50d291741b37a434e477a6dbc1b5902b2c7bf4de71938c06d04ab8444c97fc02e2add2d5461be088fa9a3e8ab51f12e75bf18a5986645450b8a1a30d53971225

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46f230a3af108afb6bad7ba13b5cb1a1

SHA1
572077fd127edd37dfa1d5209c4225e3692d687b

SHA256
260dcd4d31ef485c8d0f644ec26beb388f9369f9d94c05ab8341ff74d1bd6542

SHA512
7213f1c4cbac04608ac2fff08caf5a17a88583fd017cdbdbfe534f77f331fe0ea1fc9109cbc34e1352388d887878e6bca4b97f982cda5bd3e518892ef1667a35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5b817a4a3caea8542a13b46827f9b88

SHA1
6a7ba8c8dd433e3459cbde3a5ea97c2d582d0db1

SHA256
c8febf9f7d412e9f92c1505b5f23560b0839bc31ce02ab636cf56a932297beee

SHA512
b9480fe222b29515a7ce1ed5000e30ac3cbcaa6ac5d77045d1acb28a0f7ccbd412c0deb7bd54ea90595501e2670a1adb9517bbb26c262bc3ef38af05a15d3875

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat

Filesize
199B

MD5
fd8127bcc7f8ae8354753505c68c8386

SHA1
f67d0c91e55fad41667524eaca2c2136e9385c49

SHA256
76f319561e6e804187e5d1125b02c96ad805e465de11f1820dc4caaa2abebe6a

SHA512
976369d370dbf9a25eb3dfa625dc4c002d1774ff2d4d0c77dde386195294ab1a28823c25c9264607dbb51026ac08a47225fda4fbc79aa2a6e84888deb38735ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE9B5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat

Filesize
199B

MD5
8f2ba7cc53cf2694248b62f63f173cd6

SHA1
eb7d31e9aa6fcec20df85077d73c4c866a71afa6

SHA256
aa3832d1cbda1a12cc26c408707ce19cd178bd1e72b29cf8ab4c7fc521be32b7

SHA512
2b05de7c114056161f77e37d186a263dd821ba73de859b075b90df9f3c509a7846e9ed7c82caed8b18e70dc7c1bdaf666a695b3523bd0375e54352c7def96f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat

Filesize
199B

MD5
bdf4532ab8ac75772fb0b1ee1e7daf96

SHA1
6c92f979dd2e3ba8fef90327797d9d90c0f8f7b7

SHA256
fd7a02f55ae9a3d3e877454a85580bac2807554335ccc94b071ae441ee6c5756

SHA512
122a3a8f9443e5879ad8e3ab87093d217d337409eb9bff06c56c47f04e9b49326aa2c2dbefa47a78805cc9baaf3ea1b4a6440bb6d98ab7bdd10f6b0b04fa2ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE9C8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat

Filesize
199B

MD5
b4159e3ff09842a4ee246e3ad76b7b47

SHA1
411b35d4394d648380d35a3e17772d9fd49ad3f0

SHA256
d665994c8c215b55463d0605f9cb567c7e895ca8e32e84e9b79b43f33e6fb8e2

SHA512
9ca1c79752a32ccd6f28f61e311777bb0d0e1fd463eca5c77354130f4de1d618b7ea49345b9fb9b545e3d18bf25511ca5f9a81a9863492a083d4dd79f0d488fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat

Filesize
199B

MD5
f1380e30bb00c55ce4f1919eafb395aa

SHA1
31d20678a3f677a20badce003b5060624d70e2ae

SHA256
04c43a879ca64fa7a06fc00f87fddd9fb6823bfffd7eaf5bae1423569a9c653f

SHA512
792ea85186059cf03c600129926510e0b59ee1c3f00a8108990272c43de009cd4fa0a7dd2f3cf66d82f4d9b9f35855b275f5e7fe9db851e8f607a23466a97f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat

Filesize
199B

MD5
9d6f72b61803674d8a7e381f4d386394

SHA1
1e38df00f0fc708a69edf540f6bf0c395e9abe65

SHA256
15bf077bc83f4e7cb0d3f2641083e79d4ec76540f41a33947b61da6415f04a89

SHA512
da024b729e0e54c792d84609ecfd822dcde80075b127365f9529b50a1a71148fd72255e59b4d299e71226eed08ff757b807f4e82584d3996634864999f0c01f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat

Filesize
199B

MD5
9d707e75e5d125b22a1591ea5cc82e0e

SHA1
d6321d5297ca7dcb3822e99e974f5716675b5493

SHA256
54b9618cc1a7cf5a74f07432a4b6fb5850597f44822424d84c7a67c874087490

SHA512
c02718b9ae1f4f6148758abb37e07b9fae93c7c762bba50303595e96ff9c2a7a15fef4db4e0d53b80a5320528b528c6db8b05345442e92a814135aa521d9941e

Download Submit
C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

Filesize
199B

MD5
2826ff1b2d9ad0d9ea0752403e279e1c

SHA1
b962e26f969657d3db9827ef5b9102064baf107e

SHA256
ab06e3a372a9200fb4513fbd2752a2c0cb0c153153a5da9b6b8730474058911e

SHA512
c6cd3f6703d503e96b21f125e005001f3ca44f8775f77aa51a0117891629f767c5ce4911935288de551b2ae3ab02d19d7a82b876f5364257531e9ee0bd268419

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat

Filesize
199B

MD5
e152c24e08b025aecb293edf82bddb70

SHA1
b3175c7c1e904abe478d3bf2f55d28c004cbd94d

SHA256
c43947ec78951632e78fab3d5517a3542d7f8ca68edf09e8939950ceadfa194e

SHA512
b2edb1012c27e14b276cc1ecd937d61fea74e04265abb25ca5d549a84f33d9140a23e4f6518dd93e5e617fae400ce773f3d3cb16fd8038eb5d1d453cf8350adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat

Filesize
199B

MD5
dd46fa24062edb5fca0e5c6aabb53e2a

SHA1
334f2b10170ee45e595f0673f79d40c11e1ef7c2

SHA256
4d0b19e121d9ea2e5957b0d8f062e47119020918b058cad495f4634b39868d2a

SHA512
d52541d3fc443911a19a8a360dc67d9dc661e9071aa23e6e3df12af2df29f59d26c427e4d83dc06765d46a75a819e51aacc21e4618a057057533d0c03ae2eed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\suxlltqCa3.bat

Filesize
199B

MD5
55bd766cd6b6fae0a9cca719cc73db64

SHA1
2ad49765ec0397196075bda236cadaa1d227ec1e

SHA256
622564507b0ae6b46dba96fe364d91bbdccbe3ac20a6e4fafb71895f544303c4

SHA512
ff62b7839e01cbf7b13b059b85e326f7072e1bff6f81c7cf212314a1e61609514c0c2f013a329d1e60c2f73541b0e5f02814a4be4128f2859bce88de6089891b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c9dd6118e077eaa4cc2184f5615f1877

SHA1
58ce7f61b350a1f6c36251c0ba71b015b4104894

SHA256
8908002f315036fecfdf4fc44d9e1649209291fcd957d817601f9510a5e0b982

SHA512
9603d1fc44bcee10bc0b088b6d7abb76a42a574e5198a27af627a7a00dff0d000d1abf760c465be629cd8d35b7be0dfec774733d5c5426552df67c349d6fcf86

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1984-517-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1984-516-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/2180-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2180-15-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2180-16-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2180-13-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download
memory/2180-17-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2316-43-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/2392-637-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2736-39-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2736-40-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/2828-577-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/2968-220-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download