Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 18:51
Behavioral task
behavioral1
Sample
JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe
-
Size
1.3MB
-
MD5
9386df2b0f289298e968f2b7497ec9dc
-
SHA1
54df6c886cdccd6b6c29f98cd1a6d0c632dbe3b5
-
SHA256
9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151
-
SHA512
f34942ca102b184811d128fa3042db4a98ece3f9ad79b4315d634147a8b2026f435d8fdec9db5c59de03a059d8829a0b9d4043ea4c8bed3e843c8c37154a500b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2716 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016031-12.dat dcrat behavioral1/memory/2784-13-0x0000000000CD0000-0x0000000000DE0000-memory.dmp dcrat behavioral1/memory/2908-45-0x0000000000EE0000-0x0000000000FF0000-memory.dmp dcrat behavioral1/memory/2336-163-0x0000000000F70000-0x0000000001080000-memory.dmp dcrat behavioral1/memory/2840-223-0x0000000000010000-0x0000000000120000-memory.dmp dcrat behavioral1/memory/928-283-0x0000000000BF0000-0x0000000000D00000-memory.dmp dcrat behavioral1/memory/1040-343-0x0000000000F80000-0x0000000001090000-memory.dmp dcrat behavioral1/memory/1800-580-0x0000000000060000-0x0000000000170000-memory.dmp dcrat behavioral1/memory/592-640-0x00000000001A0000-0x00000000002B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2176 powershell.exe 2640 powershell.exe 2308 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2784 DllCommonsvc.exe 2908 services.exe 1764 services.exe 2336 services.exe 2840 services.exe 928 services.exe 1040 services.exe 1640 services.exe 2176 services.exe 2420 services.exe 1800 services.exe 592 services.exe 1476 services.exe -
Loads dropped DLL 2 IoCs
pid Process 1032 cmd.exe 1032 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 33 raw.githubusercontent.com 40 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 37 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\ja-JP\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Visualizations\winlogon.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Media Player\Visualizations\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Visualizations\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\ja-JP\services.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2620 schtasks.exe 1716 schtasks.exe 2828 schtasks.exe 2616 schtasks.exe 764 schtasks.exe 2052 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2784 DllCommonsvc.exe 2640 powershell.exe 2308 powershell.exe 2176 powershell.exe 2908 services.exe 1764 services.exe 2336 services.exe 2840 services.exe 928 services.exe 1040 services.exe 1640 services.exe 2176 services.exe 2420 services.exe 1800 services.exe 592 services.exe 1476 services.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2784 DllCommonsvc.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 2908 services.exe Token: SeDebugPrivilege 1764 services.exe Token: SeDebugPrivilege 2336 services.exe Token: SeDebugPrivilege 2840 services.exe Token: SeDebugPrivilege 928 services.exe Token: SeDebugPrivilege 1040 services.exe Token: SeDebugPrivilege 1640 services.exe Token: SeDebugPrivilege 2176 services.exe Token: SeDebugPrivilege 2420 services.exe Token: SeDebugPrivilege 1800 services.exe Token: SeDebugPrivilege 592 services.exe Token: SeDebugPrivilege 1476 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2504 2124 JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe 30 PID 2124 wrote to memory of 2504 2124 JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe 30 PID 2124 wrote to memory of 2504 2124 JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe 30 PID 2124 wrote to memory of 2504 2124 JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe 30 PID 2504 wrote to memory of 1032 2504 WScript.exe 31 PID 2504 wrote to memory of 1032 2504 WScript.exe 31 PID 2504 wrote to memory of 1032 2504 WScript.exe 31 PID 2504 wrote to memory of 1032 2504 WScript.exe 31 PID 1032 wrote to memory of 2784 1032 cmd.exe 33 PID 1032 wrote to memory of 2784 1032 cmd.exe 33 PID 1032 wrote to memory of 2784 1032 cmd.exe 33 PID 1032 wrote to memory of 2784 1032 cmd.exe 33 PID 2784 wrote to memory of 2176 2784 DllCommonsvc.exe 42 PID 2784 wrote to memory of 2176 2784 DllCommonsvc.exe 42 PID 2784 wrote to memory of 2176 2784 DllCommonsvc.exe 42 PID 2784 wrote to memory of 2640 2784 DllCommonsvc.exe 43 PID 2784 wrote to memory of 2640 2784 DllCommonsvc.exe 43 PID 2784 wrote to memory of 2640 2784 DllCommonsvc.exe 43 PID 2784 wrote to memory of 2308 2784 DllCommonsvc.exe 44 PID 2784 wrote to memory of 2308 2784 DllCommonsvc.exe 44 PID 2784 wrote to memory of 2308 2784 DllCommonsvc.exe 44 PID 2784 wrote to memory of 2388 2784 DllCommonsvc.exe 48 PID 2784 wrote to memory of 2388 2784 DllCommonsvc.exe 48 PID 2784 wrote to memory of 2388 2784 DllCommonsvc.exe 48 PID 2388 wrote to memory of 1888 2388 cmd.exe 50 PID 2388 wrote to memory of 1888 2388 cmd.exe 50 PID 2388 wrote to memory of 1888 2388 cmd.exe 50 PID 2388 wrote to memory of 2908 2388 cmd.exe 51 PID 2388 wrote to memory of 2908 2388 cmd.exe 51 PID 2388 wrote to memory of 2908 2388 cmd.exe 51 PID 2908 wrote to memory of 2636 2908 services.exe 52 PID 2908 wrote to memory of 2636 2908 services.exe 52 PID 2908 wrote to memory of 2636 2908 services.exe 52 PID 2636 wrote to memory of 1724 2636 cmd.exe 54 PID 2636 wrote to memory of 1724 2636 cmd.exe 54 PID 2636 wrote to memory of 1724 2636 cmd.exe 54 PID 2636 wrote to memory of 1764 2636 cmd.exe 55 PID 2636 wrote to memory of 1764 2636 cmd.exe 55 PID 2636 wrote to memory of 1764 2636 cmd.exe 55 PID 1764 wrote to memory of 2124 1764 services.exe 56 PID 1764 wrote to memory of 2124 1764 services.exe 56 PID 1764 wrote to memory of 2124 1764 services.exe 56 PID 2124 wrote to memory of 2528 2124 cmd.exe 58 PID 2124 wrote to memory of 2528 2124 cmd.exe 58 PID 2124 wrote to memory of 2528 2124 cmd.exe 58 PID 2124 wrote to memory of 2336 2124 cmd.exe 59 PID 2124 wrote to memory of 2336 2124 cmd.exe 59 PID 2124 wrote to memory of 2336 2124 cmd.exe 59 PID 2336 wrote to memory of 2392 2336 services.exe 60 PID 2336 wrote to memory of 2392 2336 services.exe 60 PID 2336 wrote to memory of 2392 2336 services.exe 60 PID 2392 wrote to memory of 2216 2392 cmd.exe 62 PID 2392 wrote to memory of 2216 2392 cmd.exe 62 PID 2392 wrote to memory of 2216 2392 cmd.exe 62 PID 2392 wrote to memory of 2840 2392 cmd.exe 63 PID 2392 wrote to memory of 2840 2392 cmd.exe 63 PID 2392 wrote to memory of 2840 2392 cmd.exe 63 PID 2840 wrote to memory of 2580 2840 services.exe 64 PID 2840 wrote to memory of 2580 2840 services.exe 64 PID 2840 wrote to memory of 2580 2840 services.exe 64 PID 2580 wrote to memory of 752 2580 cmd.exe 66 PID 2580 wrote to memory of 752 2580 cmd.exe 66 PID 2580 wrote to memory of 752 2580 cmd.exe 66 PID 2580 wrote to memory of 928 2580 cmd.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\ja-JP\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rX48AtNwwF.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1888
-
-
C:\Program Files\Windows Sidebar\ja-JP\services.exe"C:\Program Files\Windows Sidebar\ja-JP\services.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1724
-
-
C:\Program Files\Windows Sidebar\ja-JP\services.exe"C:\Program Files\Windows Sidebar\ja-JP\services.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2528
-
-
C:\Program Files\Windows Sidebar\ja-JP\services.exe"C:\Program Files\Windows Sidebar\ja-JP\services.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2216
-
-
C:\Program Files\Windows Sidebar\ja-JP\services.exe"C:\Program Files\Windows Sidebar\ja-JP\services.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:752
-
-
C:\Program Files\Windows Sidebar\ja-JP\services.exe"C:\Program Files\Windows Sidebar\ja-JP\services.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"15⤵PID:1308
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2680
-
-
C:\Program Files\Windows Sidebar\ja-JP\services.exe"C:\Program Files\Windows Sidebar\ja-JP\services.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat"17⤵PID:3068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:268
-
-
C:\Program Files\Windows Sidebar\ja-JP\services.exe"C:\Program Files\Windows Sidebar\ja-JP\services.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"19⤵PID:3004
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2024
-
-
C:\Program Files\Windows Sidebar\ja-JP\services.exe"C:\Program Files\Windows Sidebar\ja-JP\services.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"21⤵PID:1492
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:3024
-
-
C:\Program Files\Windows Sidebar\ja-JP\services.exe"C:\Program Files\Windows Sidebar\ja-JP\services.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"23⤵PID:2644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2748
-
-
C:\Program Files\Windows Sidebar\ja-JP\services.exe"C:\Program Files\Windows Sidebar\ja-JP\services.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"25⤵PID:2864
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2140
-
-
C:\Program Files\Windows Sidebar\ja-JP\services.exe"C:\Program Files\Windows Sidebar\ja-JP\services.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"27⤵PID:1556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:1540
-
-
C:\Program Files\Windows Sidebar\ja-JP\services.exe"C:\Program Files\Windows Sidebar\ja-JP\services.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53390b88dfd062f269721c312b8102be0
SHA1c426ab14b507e1d7d300bb03fa1e33c0ba069bb4
SHA256316ed4d2b8fdbee7efa267399ea48890106ea6c095bc416d8be3339a670c02e6
SHA512204c64df956298a7a4c2a00b69e21235b85f9439edb231c21eca42e300c243883a376b8da76c56cbb26c6a7b606ace35cbc2d9f21ff88835551204f1fad807ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD554422ff10a391c9e1d0231f90b5b2f95
SHA1d3e21a949dd035d369e0fa30b108fa21d0207b08
SHA256823ce7d93fea3c58e9cb67fed4cf4862420541404a8a4246ef04b014b41bfea2
SHA51218324eac408158a81f5c2b237280cc1ff289ae293dbbfcec567a4a73372ea6cc826a5f28654675e55ae17fcd0a884ee825a78197ef854599f2e42ace9e6561de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5442f55d9c66fb35dc6ccb99ab0fe7cc4
SHA18f2a6eea221c9996fc078328e925e008a5d5c538
SHA25661ef61280d3bcfd05d2674eae36504b4065fb272ed1b0e3306952981a39e712f
SHA512101bbb14f3d5d38ea0037ac6d139c7fd4ddd47d04aa7083ccfd058510357a49c8ddb3a470ec33773311da343db3a66d35e30e88b37d752b03593e82f8b75bb1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fd1a4670a896e75ba60fbbba355d2fff
SHA1b832074d6b4f4d57d91881539db592b2be70233a
SHA256f1d99ea7d46d37dd78b99bd42ff45adc1fbceb0bd92d3cc1ce7d29e8949319b6
SHA512c801007391306e34c5778fd5af5154834880128071ffe06d62e3a9dff1bafc07405775077f51c8018b94377aa1e640a317626440f0bea10773b070a96ead5f93
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e8c5ce9f0be74410b8e9f928cfd5ac31
SHA1ded8f1c9f16f101101272b0b7b26f85364beafef
SHA25651fa6daba509295498bd4860ea332c1545b5deb0873ac95d6041a2be0be833fd
SHA512c940365dbb7ff95541a5b931d0d9209bbd2de1c32ab83afff1c1dd85f1185c5fc03abf9b44a50c9ca391f8b66dda92e59aba20035d7855e660d88481bea76c94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD518fd749b048d6c7940e6b51fb897bc48
SHA18ddae4d31910398a866e5fe007004e8e803d51db
SHA2562160de4c8634df6fca490c3fe43fa194271600458c0dec30d753b6a803b04de0
SHA512e9150514432c7da861407103cf435d24a6ed8548f3b6a52342e7d43ad58b8bcfb5a70f33bb3e9655cceedc65564138371119cccf16265d065ff0ee5936b01dc0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc669facf6623ba7424d927bd8911225
SHA15d2ef4c0b165ca3d6ca0e99cda6e3b1ad261fb36
SHA256bd4f578dc7a4d69c5241490d424d0d0dfa4cfbd451e1f36933eb06624d292dca
SHA512eb8e324b80b7a0c33148b67aeaed143fbd69c31fedec4a92bfe5df1523beb0a9aba74049dd322181274600cac68c6327197214bc20c51ba37c211a288df838e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5489896c0991143e098c7416018f2c646
SHA14c50ca04e5c6b31581ef3c706a4d9bbc1e67499c
SHA256baf87d2f4a118f8c3c87b145d4fe0878a1266df4a8a6dfecad5d40f4a8cae178
SHA512a04d3fa3b9aa821bb6a6aed3fd8ff6dccbef5a25f523981a2b9eaca7bd1ecba150e1719dc84515a42cdaea3f013759141f1a7bc64680da1d18a6291fc3cac66e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD587b8b96f0d34606c08fe67025f42197f
SHA135b841b13233fdeb89f5b2859ac0ad102dfd1e8f
SHA256d987bb0aafc712165315d858930936a4742b31ab0fbe923abe81d19120f67535
SHA512e091a44d3b031b0696d634bf8159b8b3726c4e92a1ce7a89757a256b8700a23d52da25b92f37f9a71437a4cf552df80461fc2e878c263f528445ab3293ee4ab8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5530f7d45b8cff39118fa28ec05386107
SHA1a51ea2dbd1ef613ca7bf6e23f0fff98e8ea3ab3a
SHA25690edcad11104e4e8d0ba3dd4c9de84861579f56af22a74f48a4fb5e53b1d6957
SHA5121c3090c5d5d3185964e4e50aee22bfbee138a7fc2c67e7f81df8e18b973e718410d422130be59570dc1267dc2be4a91de034d60b8a33a3170b6ee13f4ab02c11
-
Filesize
216B
MD5e40e0b335ec4879f2264cb7cfbade409
SHA1f3514feee3e4322175552423b458aadf109e74c4
SHA2565a918b8d6950a7c1b8f84eae9f67480d26bf94669d8a6b2bead6828ae287dc86
SHA512e54bd71c58a51c09d31d3d51e58d9edae2d61911cbc0d81b46a3eb310775b413402163da8f56fe954c7c09fd8c7e944f0af35e4e6d98064a491f259d939ba39e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
216B
MD5ee44fd9c70bcff407a5bcde1d7169a44
SHA13bb04bc227ef9b888dc7cefdad094e66f129fb79
SHA2568d861c61c6bf2865187a428e6e87c32b51bfeafa0b35446e222175df583b8b60
SHA512fdcd9242ddbe0965dea8deb33362a858f95d35ab304d993e7a0cab72b0ccf672437ccf2522f91796cb4569c8eb0dd4293f3d517e6f023206b8023d759c907b4f
-
Filesize
216B
MD5c8bf2f2dbbda6cd80381ec379f7ca401
SHA195cc457f9cb808274d9a0774d0d26cf90036f231
SHA2566cd7d5fb4f67be4802c88f20e142ffd24331c29572d6a03e35cbeb9b6c8ecd12
SHA5121ec15f0f765bb62ad612e41eab563930e18c9992c6a866c68709fa7330e349be44346e1a21006a3f00d1b1d2a30609fc5f9f7d624c2c5cb29fe5052722990972
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
216B
MD517105f9a75ebcc3517dab1866a7d2c18
SHA144b41369685b6d229589576232a49dbbe31db3d1
SHA2562d76dbf17fe6e39644569ca186f5b432776261dac3845f63b04ff415f0f24576
SHA51221e32b01c5bd859a0f30cf5671b0281ee04690acef09cda5d5f0c43bbebcb0f9a935dbc3b0faeaaebd8abd7c03097e821c0a0834d782678b78db8511d5ac74a0
-
Filesize
216B
MD5a714b0e5cda29c9f39dbe92632c5e7d8
SHA17252119ea579e5f5703ffc1ba0b534c005f6e1c1
SHA25651a8b329f86f24e734f2a5091fe85244498c41828107004faa9a7961aec1015b
SHA512c925db7cf6d48d3319278474d45a44633a29ccb65dbfcdf83b63532700587a978e329131b826931940436d5088216147e81dd67b8c0a864104cdf06c1c921e0a
-
Filesize
216B
MD5174e16367fa4bbca03f5db6fc9cfe0f7
SHA19691a9cce96c769bc3a1ddb7de6d97e5eefb47b2
SHA2566b972d434f2f833260c52b66a251c9b11ce10236c38577213ccc7887292e3a9f
SHA512801b550a2faf8617c1dda6550a3c92ef7a60ceb8ff4f30bbf16ec813ad416b7981f7ab546806f9daa4b320d86cfdd962bc746eb8022e56e297b4a7bcb05e58b6
-
Filesize
216B
MD536907db0980666ba05c6a5bd82059cfd
SHA14a9b0a99f631b3fb6edb87fab2ed4693c81f038d
SHA256c0bf05679d3a9c2902cad5934e2402ceeff2376b9e608da790135477e081d759
SHA51295dbee4730a1e2ced28a253b8e3f9c49189494a68dfb7102d143f200f74bf38eb0cecbcf42ab75fee8bb74efa44b3270d8ce019c978db2f32dd10bb56d417e85
-
Filesize
216B
MD54abb27225cf4d2388c7b976863594ec0
SHA1fafefb94a62c4d00329372088b4fb28aa77cc38a
SHA256b5e3b20fbc6085aff5e22c7b541ecf53d77f0093b2fe2f988ac42bca80c5109e
SHA512b99219686532757fb2457ed03a2211dde77fafe69d173ed2ef6279fbad245eae2b12cf6f231c582e67cf885fb0dcc6e6954390b8ab6a9b23a8eb98e3d64361ba
-
Filesize
216B
MD59fd80a65b4b302e59092726a61c547e7
SHA1fb01053adafc7d122fb214c609bae3917e50e4bd
SHA256161fe496949f6ef288a5bcc9edae6a5f4091d3a2eaac524d4f00110a2e74be55
SHA51207bb437aee9f56fd1a265fffd0f6692f58725d9fdfe8078d0a8794daca8749ffbc89fb21e5f5483f81a70f7bc6794413397dd9ce2783a03c2c2f72f8c28a6a5b
-
Filesize
216B
MD5a2d64593c6b03dc19a2e83eef1338ce0
SHA186553bd696a04ca28934f8aa81dec62ecd18f57a
SHA25682de4239dbeacc931e6a8e502954937528270831da9e19fe6d30cf5e5cf40018
SHA512916eba25e8cae835c3122c553f4b50ac363e4dc8364245f8eea733c575357f48dde715300ec290c58809c3d084e79438fbb7ddc7f554af16e9aa73f81e5bf5b6
-
Filesize
216B
MD5ccc28d15869fc419ef37d819b5248b4a
SHA1eeb214d86c9461e2c4c74408f421d71afc436d0f
SHA25624c4882579973fa7a5334eb3231701229e4d55cba0eb11f10ce07cea7cc31f7c
SHA512d35b3f95ed5bc837cbb13fcbdfef0479f370c12ecf71fa438143c78766a54f778f59bdbbaa48ffeb7ee5a84f61399f928c2850db3ef75d6848528261babcb959
-
Filesize
216B
MD5f7a3952e4ac873ccdf0b7cba016ea981
SHA170fa9357bd25b66cf2aef0c03170f75710965d66
SHA25613e4a8285a54016c48089c4f6cf97eeed7026655ab2362e6084a2df50ad243cd
SHA51205f505752d07ff25af7db209dbc530f2cf89d664cf718e7551e03b97ec4f5e44d80bf6bc5f649bd178b64b7348149b3d8163facc2fe877e84735338dbb7330b3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD565fcca8c44ce38b79f5e11b8fcc74664
SHA18af6927aca45640b53fc498633337a9d837765dd
SHA25681850caedcbf0a09e9043cde1dc46b13c0587ad4785a10abc894c2b57e8a32e6
SHA512b42a4c659b7082329007edfee1ec7a8cc1746500dc518ca865817ed8c7322c34a3f7cb8428b5966abd9dd8ee11a9813fda70fb8f673896384c22cb72e6b97b5b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478