dcrat | 73a922cbf5d07fef664f00d58736e4c9910eae1ed8bb55197d7ffc19110c1553

Analysis

max time kernel
142s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_73a922cbf5d07fef664f00d58736e4c9910eae1ed8bb55197d7ffc19110c1553.exe
Size

1.3MB
MD5

184215fccf5f2d52507739032abd006b
SHA1

60dfaad78132641ebf6e1ec447ccd2e355bcc235
SHA256

73a922cbf5d07fef664f00d58736e4c9910eae1ed8bb55197d7ffc19110c1553
SHA512

24988b3d41f1b6749b761c4a18f8a683fb4b8b14a1ef11a41de231f8df1e6185c1d38e3d22afec142cbc2b77678d52d3f9bb0a2fada127144060d056c4d4d924
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2616	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000017079-12.dat	dcrat
behavioral1/memory/2052-13-0x0000000000970000-0x0000000000A80000-memory.dmp	dcrat
behavioral1/memory/860-57-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/1592-117-0x00000000008C0000-0x00000000009D0000-memory.dmp	dcrat
behavioral1/memory/2548-177-0x0000000000C80000-0x0000000000D90000-memory.dmp	dcrat
behavioral1/memory/1092-414-0x0000000001240000-0x0000000001350000-memory.dmp	dcrat
behavioral1/memory/1132-592-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/760-652-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1732	powershell.exe
1304	powershell.exe
1148	powershell.exe
1484	powershell.exe
2844	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2052	DllCommonsvc.exe
860	services.exe
1592	services.exe
2548	services.exe
1076	services.exe
2480	services.exe
1688	services.exe
1092	services.exe
1044	services.exe
344	services.exe
1132	services.exe
760	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2384	cmd.exe
2384	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
22	raw.githubusercontent.com
36	raw.githubusercontent.com
9	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\OSPPSVC.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_73a922cbf5d07fef664f00d58736e4c9910eae1ed8bb55197d7ffc19110c1553.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1724	schtasks.exe
3052	schtasks.exe
2648	schtasks.exe
576	schtasks.exe
2128	schtasks.exe
1648	schtasks.exe
804	schtasks.exe
2292	schtasks.exe
2608	schtasks.exe
2600	schtasks.exe
2720	schtasks.exe
2284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2052	DllCommonsvc.exe
1484	powershell.exe
1732	powershell.exe
2844	powershell.exe
1304	powershell.exe
1148	powershell.exe
860	services.exe
1592	services.exe
2548	services.exe
1076	services.exe
2480	services.exe
1688	services.exe
1092	services.exe
1044	services.exe
344	services.exe
1132	services.exe
760	services.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	DllCommonsvc.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	860	services.exe
Token: SeDebugPrivilege	1592	services.exe
Token: SeDebugPrivilege	2548	services.exe
Token: SeDebugPrivilege	1076	services.exe
Token: SeDebugPrivilege	2480	services.exe
Token: SeDebugPrivilege	1688	services.exe
Token: SeDebugPrivilege	1092	services.exe
Token: SeDebugPrivilege	1044	services.exe
Token: SeDebugPrivilege	344	services.exe
Token: SeDebugPrivilege	1132	services.exe
Token: SeDebugPrivilege	760	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2812	2644	JaffaCakes118_73a922cbf5d07fef664f00d58736e4c9910eae1ed8bb55197d7ffc19110c1553.exe	30
PID 2644 wrote to memory of 2812	2644	JaffaCakes118_73a922cbf5d07fef664f00d58736e4c9910eae1ed8bb55197d7ffc19110c1553.exe	30
PID 2644 wrote to memory of 2812	2644	JaffaCakes118_73a922cbf5d07fef664f00d58736e4c9910eae1ed8bb55197d7ffc19110c1553.exe	30
PID 2644 wrote to memory of 2812	2644	JaffaCakes118_73a922cbf5d07fef664f00d58736e4c9910eae1ed8bb55197d7ffc19110c1553.exe	30
PID 2812 wrote to memory of 2384	2812	WScript.exe	31
PID 2812 wrote to memory of 2384	2812	WScript.exe	31
PID 2812 wrote to memory of 2384	2812	WScript.exe	31
PID 2812 wrote to memory of 2384	2812	WScript.exe	31
PID 2384 wrote to memory of 2052	2384	cmd.exe	33
PID 2384 wrote to memory of 2052	2384	cmd.exe	33
PID 2384 wrote to memory of 2052	2384	cmd.exe	33
PID 2384 wrote to memory of 2052	2384	cmd.exe	33
PID 2052 wrote to memory of 2844	2052	DllCommonsvc.exe	47
PID 2052 wrote to memory of 2844	2052	DllCommonsvc.exe	47
PID 2052 wrote to memory of 2844	2052	DllCommonsvc.exe	47
PID 2052 wrote to memory of 1732	2052	DllCommonsvc.exe	48
PID 2052 wrote to memory of 1732	2052	DllCommonsvc.exe	48
PID 2052 wrote to memory of 1732	2052	DllCommonsvc.exe	48
PID 2052 wrote to memory of 1304	2052	DllCommonsvc.exe	49
PID 2052 wrote to memory of 1304	2052	DllCommonsvc.exe	49
PID 2052 wrote to memory of 1304	2052	DllCommonsvc.exe	49
PID 2052 wrote to memory of 1148	2052	DllCommonsvc.exe	50
PID 2052 wrote to memory of 1148	2052	DllCommonsvc.exe	50
PID 2052 wrote to memory of 1148	2052	DllCommonsvc.exe	50
PID 2052 wrote to memory of 1484	2052	DllCommonsvc.exe	51
PID 2052 wrote to memory of 1484	2052	DllCommonsvc.exe	51
PID 2052 wrote to memory of 1484	2052	DllCommonsvc.exe	51
PID 2052 wrote to memory of 540	2052	DllCommonsvc.exe	57
PID 2052 wrote to memory of 540	2052	DllCommonsvc.exe	57
PID 2052 wrote to memory of 540	2052	DllCommonsvc.exe	57
PID 540 wrote to memory of 1952	540	cmd.exe	59
PID 540 wrote to memory of 1952	540	cmd.exe	59
PID 540 wrote to memory of 1952	540	cmd.exe	59
PID 540 wrote to memory of 860	540	cmd.exe	60
PID 540 wrote to memory of 860	540	cmd.exe	60
PID 540 wrote to memory of 860	540	cmd.exe	60
PID 860 wrote to memory of 884	860	services.exe	61
PID 860 wrote to memory of 884	860	services.exe	61
PID 860 wrote to memory of 884	860	services.exe	61
PID 884 wrote to memory of 1584	884	cmd.exe	63
PID 884 wrote to memory of 1584	884	cmd.exe	63
PID 884 wrote to memory of 1584	884	cmd.exe	63
PID 884 wrote to memory of 1592	884	cmd.exe	64
PID 884 wrote to memory of 1592	884	cmd.exe	64
PID 884 wrote to memory of 1592	884	cmd.exe	64
PID 1592 wrote to memory of 3012	1592	services.exe	65
PID 1592 wrote to memory of 3012	1592	services.exe	65
PID 1592 wrote to memory of 3012	1592	services.exe	65
PID 3012 wrote to memory of 2688	3012	cmd.exe	67
PID 3012 wrote to memory of 2688	3012	cmd.exe	67
PID 3012 wrote to memory of 2688	3012	cmd.exe	67
PID 3012 wrote to memory of 2548	3012	cmd.exe	68
PID 3012 wrote to memory of 2548	3012	cmd.exe	68
PID 3012 wrote to memory of 2548	3012	cmd.exe	68
PID 2548 wrote to memory of 1716	2548	services.exe	69
PID 2548 wrote to memory of 1716	2548	services.exe	69
PID 2548 wrote to memory of 1716	2548	services.exe	69
PID 1716 wrote to memory of 444	1716	cmd.exe	71
PID 1716 wrote to memory of 444	1716	cmd.exe	71
PID 1716 wrote to memory of 444	1716	cmd.exe	71
PID 1716 wrote to memory of 1076	1716	cmd.exe	72
PID 1716 wrote to memory of 1076	1716	cmd.exe	72
PID 1716 wrote to memory of 1076	1716	cmd.exe	72
PID 1076 wrote to memory of 2428	1076	services.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73a922cbf5d07fef664f00d58736e4c9910eae1ed8bb55197d7ffc19110c1553.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73a922cbf5d07fef664f00d58736e4c9910eae1ed8bb55197d7ffc19110c1553.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6m1L1WHTL.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1952
      - C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1584
        
        C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2688
        
        C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:444
        
        C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat"
        13⤵
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:992
        
        C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"
        15⤵
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1280
        
        C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        17⤵
        
        PID:936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1724
        
        C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
        19⤵
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:280
        
        C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"
        21⤵
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2356
        
        C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        23⤵
        
        PID:2456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1996
        
        C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"
        25⤵
        
        PID:1484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:540
        
        C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04ec749dc527cdae3d16af1b7999b0ee

SHA1
5364f286344095f769295fe12baacdf21f6c7aac

SHA256
3706d09084c82e4f6556b2c536ec4ffb58837d77a78a2b84e0c92b604a8b8432

SHA512
0b9d50bba4165136c37f304931dd65a3972455edb9b0f688047e012c1d354a64c582146a9ba5a9155fd3bd25f8814ebdaa1d4c103cda6444e5b5f97927c532b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
141411a3e613044be5d84b61a61f9037

SHA1
9a08fd2a93c37fc0524c6722c58ac6a1e20ab603

SHA256
19df68ea62f5584395d3ed485a6963e3341dfa72d30e14b0dcf61d0c68d019e2

SHA512
6ba46f3d1b945f9e5a6c90e7c6c2bbc5a3b671d39720a7aa5a4ebd7b8b33b3cdb4ad85aac5fe48e80afd7134aca3f900c43e4afeb6a71a66591ab91f77309700

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2e2f8391342ace8aa0608a882c33968

SHA1
7f999b4adb798b5c4ec6f3c68fe95840385960ff

SHA256
9977e152694de7a9e3859f2f102d2f54d5e711eadcdd6b8f5ba23839eff82298

SHA512
72b44ddae1b3f2dd0f6781b75261d3fc15b469e312c98afdf2c783b4ca878348c4ea646c66a20a37cf3ad762bb024d3cc36e769e34058aeea5f61d422a0fb2e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bacbf81f3022a424d4231dd45fa837d8

SHA1
4ca2e55f91385831e5afc6c05c4112e680646cea

SHA256
f52d3d584ce578ac1c97d54c0896b804a9e34a3d4e25170ebc112a84d0a65348

SHA512
570fb3e66b9ded2d646f0a04c843f3e46dcc21f5ae130b2d55a3db9eb776451c60472be0c8f679878c54649d4fe77725b152ea275c8fec641fb77d3851a392c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c65822252ffba8d7a528a05d7b78c0cb

SHA1
6ea532aab1479bc754d27ff49286ee02b5f91aae

SHA256
dfefafd3fd7bf2b2d097334295568b31810ef414ce419c8b1bf3e4f41909aed6

SHA512
2a3dac9c6c03286aa54595de5c62789b5d727177872946e77e47687651e9cdf197bec60ffa278242b74a05aabca2383598ca62da5ede9b39bf77c29eeb191565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5e466865d61638f1fef92badc5e5767

SHA1
f6547a3b6e0b83bea4e7ddba47003e6eae1e51eb

SHA256
36c78d3fb4c6bc9e8fb8663e6602c4b282d4e544f866490a50f5b0957aa9e0ec

SHA512
03d612dad580590d54b662de8787c63ea2ba3b124502b74fd94c34d18df40fcd5cf8490ca9402371db87caa3106a405431d1b8f94d27e40895c7b88b4be77199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8df06975ec89ba240f230e0eb28e4c9

SHA1
38d9b26d2ed49bdf30e2deabbed766538bf08467

SHA256
7f96a75fda8824fe1fffabaf1dcff62ec5ab67bda8e129535e2a6c350252e1fa

SHA512
734523399579f19f41a79eeff2236c37390b33e61a7e1b035aa17bb3af5d32573f0989548f2c17c5302a3d8decf7d02f8e8bfcc8e623e1726d358ce70a52d7f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e701c9993730da29ac1cbf5952614f19

SHA1
d54fce4f4a9eb3ae1cd52254239b7f48bea4b0da

SHA256
dacae8aa2d65629b593e89b37aeb38362bef834a09011588ae518b7d534f428e

SHA512
26f051ce4ce19e0bf51c6f69f75dc07931860ed3070d76b7093af714d27eeceb62cf7a210b6f5e9c5583dbef7f1b91ea888d4a4b361690e7e0f3815fcf97cb2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c499b258e8e5c29a4aebfcd4db9946ec

SHA1
8023b65192173d15fcf2a1fd42e01e7bbac29b60

SHA256
a02dadb3d9f96961bea563817b1540e00ed9c9b7a34254a58a8505ca455f6021

SHA512
e91cff28f4e2ef66f6b320f546fe8024f632c77435ce0aeee26a6c2b7186e7d82c70979f03918e273389b65956d5efae5417ee74361d6666ac790572e7a93a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
222B

MD5
7282aa6d97435b052d74cb8b332075c9

SHA1
8f823b321c7654193a2986e0bb53f538a964f86d

SHA256
f90fcfaf878f36d4196fea764ba6bc19d9a3e3e897df199b30a385758c41b471

SHA512
cde003e68c6dd97e48f0ad64d8a0769c1a04db5e92cdc28b599c8f422f4ff760ab7f1901faa455654a57a3a829aea6202d1c5e873ead6d02883124c289800b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4C7D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat

Filesize
222B

MD5
73ad5e49897613831b4b3c147fcfa3a6

SHA1
bc1238cfe819d0c26662bbff5ef9f1eb5c35fc7b

SHA256
98bf201e478ba0710e926ac382e273dc4fe7ed8c493d552933284144609ac2cf

SHA512
e429a46727555b10ead6e9ad6007d87f63f88cd6122ca1c903bb9389b63fba50187c1dc41cc08f7b3db2cbad1e72cb4c2eabcc57b670ce0c82a7c8491533ac06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
222B

MD5
0ef1c6df9315f961736b6fe8f62fe062

SHA1
380c86ea2bb8de0f3de226d00aa9c14c1d611994

SHA256
f597c94a1d274475732b19a0d4242ac54e07aee80c1abc8f92e70ae6e1b4067b

SHA512
eb48271d0e0be56e176b51f1bfe5a92b7ac42c990299879b50069996d8d56ea82a977e880e642410bd197905db6c89e8fd5cb25379790062370b316d1c2b65ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C8F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

Filesize
222B

MD5
c47962e249d5a052998af076b95c8c1d

SHA1
e382d642c2f3eb7693a6c486c2139dcba31a72ef

SHA256
fd69a99becafdda445f7b96ad3c4a0fbd0a33200239881671fb4bd98bd5c3373

SHA512
0d26bc1255d24384d0bb4f7f458b2d97cee6442dec3b4a61e1794e236044b7c56a1d82ffc7d382acdc57325227dfd3be18d0304a26faf01dc586d8f7b5630f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
222B

MD5
2d11dfebd332590e8061db9255a980b2

SHA1
3811ed2303ef61cb998374bc305c697f33565d93

SHA256
c2ce247d4cf04c3ff020f4a5a1c12719e182c63273dc13200aac4c98b1dbc157

SHA512
5d176f0d856a19862ea3028dcd14d18c1327505082b4dbb45bee8674885dfb838caf1384eba267adbb386b9a972249d255af36b703edbc72efe914a8feebc8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat

Filesize
222B

MD5
c87284470a584ede02bfde973df2daef

SHA1
e7b401e785e775547c3cf3ea6771b410e3685504

SHA256
d43b3622d46d3dd53ca1464bd1cfd7fbc3367eb5da6b552e4634a4657348e3f7

SHA512
12bbad3e12f996457fae2d780df28c355a36212efe9c6764743fd8e9807ed8f09cd8ab990a69241d23d782a5d459f5e7e0fe17c4b7a94f65d04ce419bce9bc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat

Filesize
222B

MD5
5e33f900bf51e3ddb09d4ec28bd1785c

SHA1
08f73d7cc8ce024cf8bcd1d6da5e4fa408fd9bff

SHA256
15a75d91b0b8984b91faddb2f3f946494b88ccb41377e226573bec126e9c85e1

SHA512
a69f6c605ae8432adbd40cf8374e80b7beebe4d0a04a58eb11390612cf51b1e1713d9ce4a507a135781f467ef1636900418c37af106a32894d577f72d9e9ce6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\p6m1L1WHTL.bat

Filesize
222B

MD5
18fd851b57349d6b76376e06175771d1

SHA1
cda99ddd72ebfc3f6d87cbd135393ef6805d6a78

SHA256
7a67ad196de57c505ca0f8c1b385b64acf97ea256739762b7ca6a8ca9a54d9aa

SHA512
bc2050e9e88800f943f400576670bb9b8aa7b6629f1bb73940a0b8ca7c1e4d5832ad6a78c24b3a726a064894ae9663c2ddf1519c4f86c5d849a2fb100264cf6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
222B

MD5
a7abf1010b16c0066973317ae7f208fc

SHA1
708922ba6df55938867277d6b43efdb2b2fbcbdd

SHA256
341b355cba1b1e1ab1bbf4bc797148c66c37837eb08505eb98cff8bd821b5e08

SHA512
5c3cde70dc88bff0035ea3c9bb3348436010490fd334ae79756ed638621252c4b9a32d735a9a23125d64d53b7eceae62f8709d9e2fe6fa7834487d210b5f397f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat

Filesize
222B

MD5
be54108ef0f56bc7baa8c8fc4f4e2955

SHA1
ac8d3b74cdd9ac479c7a7340f8eabc380c161fab

SHA256
4dbc30447b59a2dad9458d45e17b69394c83fe6f8783cc288a27c88c36786e33

SHA512
daeea20f3430ba262bdd2c0df491e021aa7fcf48476f87b0c1178862bf6a8198271091810d8ad2cb1325cb9fd9fff9f8791c2e1d5123818e4ec850faf15a7984

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

Filesize
222B

MD5
7676066d057dce2c6dfcd52cb5ad6382

SHA1
45809986a13e0d2d5d0170fa29e52566c2a26524

SHA256
0dc73b4c9892f0c0a93a138f34af33c61417612763435d2f9850ce117d753bd7

SHA512
7f4e17d340d05695e151bb43f412123d8f9561ae272129dc904877a3aa40bdf8c12604bbf397cfe99da99ecdfd75ed745145f3a304ca07040e64cfe60fb1aaf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cfe84c3ad79f9a88b860987fe7f6f86e

SHA1
453f9588f30b4fbb87afcbc52b9f2912ced4796d

SHA256
7c938d444f8569d070fcf0dd3f46bff2d66c66ef85872fa5bf92dc8f049ea5da

SHA512
a571d8d5434fe38ccc9fabb7f2fd3f8328ecdf79db5eafc371f19ad362b7dc3e95ecd978a2c9120bc4f109f5cee0b78c0c6cf4c5eb613006916ed0fcdc10442b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/760-652-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/860-58-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/860-57-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/1092-414-0x0000000001240000-0x0000000001350000-memory.dmp

Filesize
1.1MB

Download
memory/1132-592-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/1484-53-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/1484-54-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/1592-117-0x00000000008C0000-0x00000000009D0000-memory.dmp

Filesize
1.1MB

Download
memory/2052-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2052-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2052-15-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2052-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2052-13-0x0000000000970000-0x0000000000A80000-memory.dmp

Filesize
1.1MB

Download
memory/2548-177-0x0000000000C80000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download