dcrat | a42ed634ddd9033f8bd2cd9e660d179cbec816b02a76bb5dfa4b60cfa4851d91

Analysis

max time kernel
146s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a42ed634ddd9033f8bd2cd9e660d179cbec816b02a76bb5dfa4b60cfa4851d91.exe
Size

1.3MB
MD5

8fd4d175c61e98d8e8c777f556b2a6fd
SHA1

a1bb3f0e49a92c40f8e69217bfcc38c050a72ccf
SHA256

a42ed634ddd9033f8bd2cd9e660d179cbec816b02a76bb5dfa4b60cfa4851d91
SHA512

942844cd9726c51ee27630a2a9efd95f802e87df71c85aa4972dfcf7806542dc9f04f59d5e504abc3feb5638aa920aeaa6f3fe9e12a3877c73f5c5c4498189e2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	1980	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000173b2-9.dat	dcrat
behavioral1/memory/2748-13-0x0000000000A80000-0x0000000000B90000-memory.dmp	dcrat
behavioral1/memory/2988-45-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/2588-165-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/1032-345-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2308-406-0x0000000000990000-0x0000000000AA0000-memory.dmp	dcrat
behavioral1/memory/916-467-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/2400-527-0x00000000002E0000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/memory/1156-588-0x0000000000AE0000-0x0000000000BF0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2924	powershell.exe
908	powershell.exe
2916	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2748	DllCommonsvc.exe
2988	services.exe
1056	services.exe
2588	services.exe
1576	services.exe
2136	services.exe
1032	services.exe
2308	services.exe
916	services.exe
2400	services.exe
1156	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2820	cmd.exe
2820	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\ja-JP\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\winlogon.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\cc11b995f2a76d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a42ed634ddd9033f8bd2cd9e660d179cbec816b02a76bb5dfa4b60cfa4851d91.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
692	schtasks.exe
3032	schtasks.exe
2376	schtasks.exe
1104	schtasks.exe
628	schtasks.exe
2204	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2748	DllCommonsvc.exe
2916	powershell.exe
2924	powershell.exe
908	powershell.exe
2988	services.exe
1056	services.exe
2588	services.exe
1576	services.exe
2136	services.exe
1032	services.exe
2308	services.exe
916	services.exe
2400	services.exe
1156	services.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	DllCommonsvc.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2988	services.exe
Token: SeDebugPrivilege	1056	services.exe
Token: SeDebugPrivilege	2588	services.exe
Token: SeDebugPrivilege	1576	services.exe
Token: SeDebugPrivilege	2136	services.exe
Token: SeDebugPrivilege	1032	services.exe
Token: SeDebugPrivilege	2308	services.exe
Token: SeDebugPrivilege	916	services.exe
Token: SeDebugPrivilege	2400	services.exe
Token: SeDebugPrivilege	1156	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2712	1740	JaffaCakes118_a42ed634ddd9033f8bd2cd9e660d179cbec816b02a76bb5dfa4b60cfa4851d91.exe	31
PID 1740 wrote to memory of 2712	1740	JaffaCakes118_a42ed634ddd9033f8bd2cd9e660d179cbec816b02a76bb5dfa4b60cfa4851d91.exe	31
PID 1740 wrote to memory of 2712	1740	JaffaCakes118_a42ed634ddd9033f8bd2cd9e660d179cbec816b02a76bb5dfa4b60cfa4851d91.exe	31
PID 1740 wrote to memory of 2712	1740	JaffaCakes118_a42ed634ddd9033f8bd2cd9e660d179cbec816b02a76bb5dfa4b60cfa4851d91.exe	31
PID 2712 wrote to memory of 2820	2712	WScript.exe	32
PID 2712 wrote to memory of 2820	2712	WScript.exe	32
PID 2712 wrote to memory of 2820	2712	WScript.exe	32
PID 2712 wrote to memory of 2820	2712	WScript.exe	32
PID 2820 wrote to memory of 2748	2820	cmd.exe	34
PID 2820 wrote to memory of 2748	2820	cmd.exe	34
PID 2820 wrote to memory of 2748	2820	cmd.exe	34
PID 2820 wrote to memory of 2748	2820	cmd.exe	34
PID 2748 wrote to memory of 2924	2748	DllCommonsvc.exe	42
PID 2748 wrote to memory of 2924	2748	DllCommonsvc.exe	42
PID 2748 wrote to memory of 2924	2748	DllCommonsvc.exe	42
PID 2748 wrote to memory of 908	2748	DllCommonsvc.exe	43
PID 2748 wrote to memory of 908	2748	DllCommonsvc.exe	43
PID 2748 wrote to memory of 908	2748	DllCommonsvc.exe	43
PID 2748 wrote to memory of 2916	2748	DllCommonsvc.exe	44
PID 2748 wrote to memory of 2916	2748	DllCommonsvc.exe	44
PID 2748 wrote to memory of 2916	2748	DllCommonsvc.exe	44
PID 2748 wrote to memory of 988	2748	DllCommonsvc.exe	48
PID 2748 wrote to memory of 988	2748	DllCommonsvc.exe	48
PID 2748 wrote to memory of 988	2748	DllCommonsvc.exe	48
PID 988 wrote to memory of 1940	988	cmd.exe	50
PID 988 wrote to memory of 1940	988	cmd.exe	50
PID 988 wrote to memory of 1940	988	cmd.exe	50
PID 988 wrote to memory of 2988	988	cmd.exe	51
PID 988 wrote to memory of 2988	988	cmd.exe	51
PID 988 wrote to memory of 2988	988	cmd.exe	51
PID 2988 wrote to memory of 1548	2988	services.exe	52
PID 2988 wrote to memory of 1548	2988	services.exe	52
PID 2988 wrote to memory of 1548	2988	services.exe	52
PID 1548 wrote to memory of 1724	1548	cmd.exe	54
PID 1548 wrote to memory of 1724	1548	cmd.exe	54
PID 1548 wrote to memory of 1724	1548	cmd.exe	54
PID 1548 wrote to memory of 1056	1548	cmd.exe	55
PID 1548 wrote to memory of 1056	1548	cmd.exe	55
PID 1548 wrote to memory of 1056	1548	cmd.exe	55
PID 1056 wrote to memory of 1736	1056	services.exe	56
PID 1056 wrote to memory of 1736	1056	services.exe	56
PID 1056 wrote to memory of 1736	1056	services.exe	56
PID 1736 wrote to memory of 2816	1736	cmd.exe	58
PID 1736 wrote to memory of 2816	1736	cmd.exe	58
PID 1736 wrote to memory of 2816	1736	cmd.exe	58
PID 1736 wrote to memory of 2588	1736	cmd.exe	59
PID 1736 wrote to memory of 2588	1736	cmd.exe	59
PID 1736 wrote to memory of 2588	1736	cmd.exe	59
PID 2588 wrote to memory of 2760	2588	services.exe	60
PID 2588 wrote to memory of 2760	2588	services.exe	60
PID 2588 wrote to memory of 2760	2588	services.exe	60
PID 2760 wrote to memory of 2388	2760	cmd.exe	62
PID 2760 wrote to memory of 2388	2760	cmd.exe	62
PID 2760 wrote to memory of 2388	2760	cmd.exe	62
PID 2760 wrote to memory of 1576	2760	cmd.exe	63
PID 2760 wrote to memory of 1576	2760	cmd.exe	63
PID 2760 wrote to memory of 1576	2760	cmd.exe	63
PID 1576 wrote to memory of 2932	1576	services.exe	64
PID 1576 wrote to memory of 2932	1576	services.exe	64
PID 1576 wrote to memory of 2932	1576	services.exe	64
PID 2932 wrote to memory of 1644	2932	cmd.exe	66
PID 2932 wrote to memory of 1644	2932	cmd.exe	66
PID 2932 wrote to memory of 1644	2932	cmd.exe	66
PID 2932 wrote to memory of 2136	2932	cmd.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a42ed634ddd9033f8bd2cd9e660d179cbec816b02a76bb5dfa4b60cfa4851d91.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a42ed634ddd9033f8bd2cd9e660d179cbec816b02a76bb5dfa4b60cfa4851d91.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\ja-JP\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rX48AtNwwF.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:988
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1940
      - C:\Program Files\Windows Sidebar\ja-JP\services.exe
        
        "C:\Program Files\Windows Sidebar\ja-JP\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1724
        
        C:\Program Files\Windows Sidebar\ja-JP\services.exe
        
        "C:\Program Files\Windows Sidebar\ja-JP\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2816
        
        C:\Program Files\Windows Sidebar\ja-JP\services.exe
        
        "C:\Program Files\Windows Sidebar\ja-JP\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2388
        
        C:\Program Files\Windows Sidebar\ja-JP\services.exe
        
        "C:\Program Files\Windows Sidebar\ja-JP\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1644
        
        C:\Program Files\Windows Sidebar\ja-JP\services.exe
        
        "C:\Program Files\Windows Sidebar\ja-JP\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
        15⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1036
        
        C:\Program Files\Windows Sidebar\ja-JP\services.exe
        
        "C:\Program Files\Windows Sidebar\ja-JP\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"
        17⤵
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2608
        
        C:\Program Files\Windows Sidebar\ja-JP\services.exe
        
        "C:\Program Files\Windows Sidebar\ja-JP\services.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
        19⤵
        
        PID:948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:780
        
        C:\Program Files\Windows Sidebar\ja-JP\services.exe
        
        "C:\Program Files\Windows Sidebar\ja-JP\services.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"
        21⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2368
        
        C:\Program Files\Windows Sidebar\ja-JP\services.exe
        
        "C:\Program Files\Windows Sidebar\ja-JP\services.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat"
        23⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2384
        
        C:\Program Files\Windows Sidebar\ja-JP\services.exe
        
        "C:\Program Files\Windows Sidebar\ja-JP\services.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ba2bb43812c5061edca48369383b1f1

SHA1
7dd454e7e7c0c59271602c1c6fe7745e909a796d

SHA256
dde26f3d0cdff2ec156a1a59ace9603c5b7427309bf4eceb57298c56e26a9f78

SHA512
c8d930d0e58b46c964c3846b70a7838622813f6b0e1fedb0cdc8d42168f865858b5a82d6c9d47ccdbc25ed53a6187a76cbfb191d896db1c320832fb4664b0de1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fda422d3f6af6620ac06e83858afeb6

SHA1
9d0f3af71eca078002af291a8d169b01c5d8a749

SHA256
8f3b55622104de899d9afdf5214486a59a9437a3e22eb67b1f4a17ca20c0d19f

SHA512
2f43aad8b9309878d21d257c44cac507a3cb4c2dc8de485f917dca7677a9f75149a65229a8184e9bebe8faa576dc6afc677215c07d8ba4fbf2899b7e13a1d356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bb509c1e4fe5afacfe8f245b82ea66a

SHA1
ddd276c9021fc8ccee31c79f5581f0336a655bb6

SHA256
827e5aca3781a84e60b5d2e0048bb1b4737e917d7385a97f110c4a6cbdd1e8f0

SHA512
5b6cf4ba3d2b8f60d74d781bcc06b2410fb3eac1afd7abbef2da5f1e9c014228f87836cae6c518b7e7a162ff5843044c6ece85cd195a1ce5dc7f762cbcbecb85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80b5be65026a46a383d9579025cc8d9a

SHA1
97e19b55e166e81a2763238559b12289e85a2998

SHA256
c83e0ece250854cfad5948679b69e2221c41d73e41613b869bb274d4fd4e4c22

SHA512
f0aceaf77535e985eac8455d7c9f328c6dfa0aac9b023571a6f0de75471bc89df9f93e32da5b2b6d4a21c65f95495105a91affc13ecc936cae47fd26d46420a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c78521df6a65ad1e6096469d15f78c1

SHA1
f939a06989b56aa772de2d083f9577611619d08d

SHA256
042a6973079d5b0c7b099a0d7abf58b9968c0cb84fbb7436a4b14b84beecc357

SHA512
14d6079a225e94dfa78a4517d41fcac27c6252d55032d2efcd6570dfea2dd0d810351817e7f6371e1acc0cd33e0c140f682bfba8d9f349179542a7ea105617d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4536e508e4975fae366f31c70a0fa20

SHA1
9a5e72076329e35e11239d5b9d2e3ae818143494

SHA256
fd756f9b01278d0e2b361595f0a0c126b1eb6cf8f15504b079d26b3681fa58b2

SHA512
83bfe41606a25f4d4363752e77f2bc03bbbfd23155164a108bb51032c1fe2e42867b646e9525006bb0357a9f514ff9acf7edbf77d213802b714ebd750d2f6b24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1dc32b30c61808b235e4a772397f03cc

SHA1
1960e48ab463606200b13b18f2ca86164d56b3e2

SHA256
c9c4f4c36ce8696ca813b7568dac99cefd382ad05037ab979f79622bc2939550

SHA512
319901cd75c2dfd64db6d544ecab2ef3797c877b90c984dcc529b9822132b4ba4bc6265739273fcf1b0100dde8f799e6d0b63989aad50fdc2ffd1b6f0784715a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a9ac47e7be318f7d1b12eed919afe37

SHA1
edfe7be1e4913edfaf83da0dd9f84cb744d103b1

SHA256
bac4e159777eb2ca49fe394038c71d7a667e279cc769f8d323c8c45826c86363

SHA512
a9677dd9730c16ce76f222533585bb82363ffe193a269861670f8a8577e34a16e0342837a6e1d0f77ba6f33e8ac89b5e4d6e0ad3ff84889fbc93666ed1222d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat

Filesize
216B

MD5
51d3ff3cfcaef8a10c6a7ec7525a9cc8

SHA1
8cfee37151fb2d64c67cd8d4aab136e5fefbb210

SHA256
ee05cd5a4e750c7323382f8a5a4b58c426082692bcd4b11e9261a192ea1e8969

SHA512
30ee85d7e3190a2f5c980a416814783d787880e751c4d971550cab170269f07f11bfa3d5cfcff58ac6a2e0fc4f5bed6bcd96307781e80848fe85c2efe129f566

Download Submit
C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat

Filesize
216B

MD5
cc47a6f8b2c9f7b3101feefc2d7dd2db

SHA1
9af970c1bde7e51f4447e0d90213fadbfce8b424

SHA256
e44f74975021b7c6fd81435f83c480c703baf886f8b1a505943423c273b89c93

SHA512
50c2843378a473741a24c6b87cb743a343e96baa3541fa5f8562f39b7fdbe5abd6f4961649c1ae29a8f34ef0c99ac9c640de5a30a4aebb2a80850ece0cf87716

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab366E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat

Filesize
216B

MD5
ea774df46f029a551775f368d784c623

SHA1
836d4d2e033a6f3cf27bb45b5fdd2fc7b4dda8e2

SHA256
02040ba64fb15fe1807d696168671449ed5312fa18af9ec0dc4e66eca5d11ed3

SHA512
7b0e73167cd87adeb97ccd0adfdedc248a44c35670da0cc2ada1ee86a37f1ae98f85c5fbc7cb7f0f4115323a10dc13b3026ae508cbb1a77b114a039a3edcec75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3680.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat

Filesize
216B

MD5
9b8727ea1c25e3a02adec26e1cd8ea85

SHA1
21710cc6e9f6ebceb246b16656050140890d817b

SHA256
c14249cd5cc2178463dace28e121c5d728e8a6aba1d8ba7a10aa5a7cd03182e9

SHA512
31967e51fb2ee48bad4d548a80e8da96238b08bface4714fd039f437ed000e5517a5c2957f8708b803056923fd3f15818d45d94d7098c3c74cd003d112c1069b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat

Filesize
216B

MD5
9183be7a2a4ded16cdbc6144d727dae4

SHA1
07b8528a8890210ff2e364b779f23b150fc8598e

SHA256
b629974f3cf3b5574a966fce54ef7ffc20e500c58c055e4756985015fc5bdd31

SHA512
153bf86b251a59d60c280739a0dd02b12cbdf81f6e31187aef11a0858ab586c0cd2c6452243831949c591d7235530923183c51873398d4d3099b249431f59c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat

Filesize
216B

MD5
95e32b597dc7f3793d8e54d8ff6c5b71

SHA1
214c5ff7a8fb24cac15852992043a7732c1b1f1d

SHA256
7d04fb63260e21d22184529322576edea3c2eaf2df81f5534a91f551cf78772f

SHA512
779651f57625aeedb28a3ac90e956d910f92a62dad6af5d83ca6ecde23abf6e5224f1687be7b389f08fe71416ad54ed1ac10bd1e075730495e8b43326ec0de8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat

Filesize
216B

MD5
995116e60d48e4200746e2be13a546db

SHA1
61c48b2309706c101a9905de9b063ae898a18fd0

SHA256
2fa92871f370c9598539009b1a7e801b369df1ca8b2c3588ba515409d3ad7555

SHA512
b81345bb74b5baa8ff1e167b9df7882a16fd00876141edf9c3764baa385df08c221f62d2586f4efbd2d7f473ef67bc18e50905feace0b56aa18388b96b3a867f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
216B

MD5
287af346b7eef982af35339cb2311a58

SHA1
b4606482003350c3a19783c05a1c33d7c6b655ea

SHA256
c0ea54a904859be04b18b3db475ece678107101077586816a91435a17e8dc1a7

SHA512
8df9aa25e649d1a03065b79a27cf713a25a5b6964858d5b273bc904690a3eaa265dafa3a54c3254c81da570a14e3ca5ad778a2543ce14a8e57bedc1665dbb267

Download Submit
C:\Users\Admin\AppData\Local\Temp\rX48AtNwwF.bat

Filesize
216B

MD5
ccc28d15869fc419ef37d819b5248b4a

SHA1
eeb214d86c9461e2c4c74408f421d71afc436d0f

SHA256
24c4882579973fa7a5334eb3231701229e4d55cba0eb11f10ce07cea7cc31f7c

SHA512
d35b3f95ed5bc837cbb13fcbdfef0479f370c12ecf71fa438143c78766a54f778f59bdbbaa48ffeb7ee5a84f61399f928c2850db3ef75d6848528261babcb959

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat

Filesize
216B

MD5
2a3f18660e24f97628794e1d5b82aeff

SHA1
85af3c0190177dda84248d3e4d869666c6164a02

SHA256
1693273eeecab65e53128198b5615742a0370e0b9303637c37b88cebf98e7c34

SHA512
bf1f073b4c9a6e8cb5287e7eadd02acc63e9ac97394643f6a02d0a3a7f04e587293e901cc9e033f867f2690d4e27a64002ed3ed7f7eb909d4f03e4678cc03dc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
63942efde61c8227ce3c3a4f2ac9b34a

SHA1
b2b3f6f94586a2d947d35f7185debbc4c840cfe9

SHA256
1ea1d1a5f07dc867c192e6e91c9802a529240b074adf4549a4eeb84393d2c923

SHA512
8da7ea17ea68ed70e10bfc189ecb24473b7bad3fb0a0e8e8fb5d13cb1a23db6c70cc8794f3f6174efe3fa9e8e1fa738d8072aa5a9338a7cc7c00fd0e027d7ed1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/916-467-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/1032-345-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/1032-346-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/1056-105-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1156-588-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

Filesize
1.1MB

Download
memory/1576-226-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2308-406-0x0000000000990000-0x0000000000AA0000-memory.dmp

Filesize
1.1MB

Download
memory/2308-407-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/2400-527-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download
memory/2400-528-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2588-166-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2588-165-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/2748-16-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2748-17-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2748-15-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2748-14-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2748-13-0x0000000000A80000-0x0000000000B90000-memory.dmp

Filesize
1.1MB

Download
memory/2916-36-0x000000001B8F0000-0x000000001BBD2000-memory.dmp

Filesize
2.9MB

Download
memory/2916-37-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2988-46-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2988-45-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download