Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:09
Behavioral task
behavioral1
Sample
JaffaCakes118_a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09.exe
-
Size
1.3MB
-
MD5
0073a68dc63ef47b7b0ce81792ba8a23
-
SHA1
413f89040eb3839773942476765fbe8f21180c2d
-
SHA256
a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09
-
SHA512
b33a3c2550a41aab150697528619766f271db969469145738c62cdce937d62c58f4d8121673e0b9e4402574dd1c8f98ca919791d8f84773fc43f94923dd537b2
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2900 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016cc9-12.dat dcrat behavioral1/memory/2776-13-0x0000000000BA0000-0x0000000000CB0000-memory.dmp dcrat behavioral1/memory/1288-80-0x0000000000050000-0x0000000000160000-memory.dmp dcrat behavioral1/memory/2172-139-0x0000000000240000-0x0000000000350000-memory.dmp dcrat behavioral1/memory/1512-199-0x0000000000EA0000-0x0000000000FB0000-memory.dmp dcrat behavioral1/memory/2364-260-0x0000000001300000-0x0000000001410000-memory.dmp dcrat behavioral1/memory/2936-557-0x00000000003F0000-0x0000000000500000-memory.dmp dcrat behavioral1/memory/1628-617-0x0000000000B30000-0x0000000000C40000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 704 powershell.exe 320 powershell.exe 484 powershell.exe 1844 powershell.exe 2708 powershell.exe 3016 powershell.exe 2356 powershell.exe 2364 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2776 DllCommonsvc.exe 1288 winlogon.exe 2172 winlogon.exe 1512 winlogon.exe 2364 winlogon.exe 2468 winlogon.exe 1900 winlogon.exe 1328 winlogon.exe 1080 winlogon.exe 2936 winlogon.exe 1628 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 2572 cmd.exe 2572 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com 4 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 37 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Windows Media Player\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\56085415360792 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\IME\wininit.exe DllCommonsvc.exe File created C:\Windows\IME\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2688 schtasks.exe 1468 schtasks.exe 2200 schtasks.exe 2788 schtasks.exe 1624 schtasks.exe 2492 schtasks.exe 2556 schtasks.exe 2932 schtasks.exe 2172 schtasks.exe 672 schtasks.exe 2532 schtasks.exe 3020 schtasks.exe 2888 schtasks.exe 2276 schtasks.exe 1584 schtasks.exe 1220 schtasks.exe 2360 schtasks.exe 2044 schtasks.exe 2668 schtasks.exe 3012 schtasks.exe 1900 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2776 DllCommonsvc.exe 2364 powershell.exe 1844 powershell.exe 484 powershell.exe 3016 powershell.exe 320 powershell.exe 2356 powershell.exe 704 powershell.exe 2708 powershell.exe 1288 winlogon.exe 2172 winlogon.exe 1512 winlogon.exe 2364 winlogon.exe 2468 winlogon.exe 1900 winlogon.exe 1328 winlogon.exe 1080 winlogon.exe 2936 winlogon.exe 1628 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2776 DllCommonsvc.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 484 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 704 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 1288 winlogon.exe Token: SeDebugPrivilege 2172 winlogon.exe Token: SeDebugPrivilege 1512 winlogon.exe Token: SeDebugPrivilege 2364 winlogon.exe Token: SeDebugPrivilege 2468 winlogon.exe Token: SeDebugPrivilege 1900 winlogon.exe Token: SeDebugPrivilege 1328 winlogon.exe Token: SeDebugPrivilege 1080 winlogon.exe Token: SeDebugPrivilege 2936 winlogon.exe Token: SeDebugPrivilege 1628 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2164 2460 JaffaCakes118_a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09.exe 30 PID 2460 wrote to memory of 2164 2460 JaffaCakes118_a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09.exe 30 PID 2460 wrote to memory of 2164 2460 JaffaCakes118_a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09.exe 30 PID 2460 wrote to memory of 2164 2460 JaffaCakes118_a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09.exe 30 PID 2164 wrote to memory of 2572 2164 WScript.exe 31 PID 2164 wrote to memory of 2572 2164 WScript.exe 31 PID 2164 wrote to memory of 2572 2164 WScript.exe 31 PID 2164 wrote to memory of 2572 2164 WScript.exe 31 PID 2572 wrote to memory of 2776 2572 cmd.exe 33 PID 2572 wrote to memory of 2776 2572 cmd.exe 33 PID 2572 wrote to memory of 2776 2572 cmd.exe 33 PID 2572 wrote to memory of 2776 2572 cmd.exe 33 PID 2776 wrote to memory of 2356 2776 DllCommonsvc.exe 56 PID 2776 wrote to memory of 2356 2776 DllCommonsvc.exe 56 PID 2776 wrote to memory of 2356 2776 DllCommonsvc.exe 56 PID 2776 wrote to memory of 3016 2776 DllCommonsvc.exe 57 PID 2776 wrote to memory of 3016 2776 DllCommonsvc.exe 57 PID 2776 wrote to memory of 3016 2776 DllCommonsvc.exe 57 PID 2776 wrote to memory of 2708 2776 DllCommonsvc.exe 58 PID 2776 wrote to memory of 2708 2776 DllCommonsvc.exe 58 PID 2776 wrote to memory of 2708 2776 DllCommonsvc.exe 58 PID 2776 wrote to memory of 2364 2776 DllCommonsvc.exe 59 PID 2776 wrote to memory of 2364 2776 DllCommonsvc.exe 59 PID 2776 wrote to memory of 2364 2776 DllCommonsvc.exe 59 PID 2776 wrote to memory of 704 2776 DllCommonsvc.exe 61 PID 2776 wrote to memory of 704 2776 DllCommonsvc.exe 61 PID 2776 wrote to memory of 704 2776 DllCommonsvc.exe 61 PID 2776 wrote to memory of 484 2776 DllCommonsvc.exe 62 PID 2776 wrote to memory of 484 2776 DllCommonsvc.exe 62 PID 2776 wrote to memory of 484 2776 DllCommonsvc.exe 62 PID 2776 wrote to memory of 320 2776 DllCommonsvc.exe 63 PID 2776 wrote to memory of 320 2776 DllCommonsvc.exe 63 PID 2776 wrote to memory of 320 2776 DllCommonsvc.exe 63 PID 2776 wrote to memory of 1844 2776 DllCommonsvc.exe 65 PID 2776 wrote to memory of 1844 2776 DllCommonsvc.exe 65 PID 2776 wrote to memory of 1844 2776 DllCommonsvc.exe 65 PID 2776 wrote to memory of 1304 2776 DllCommonsvc.exe 71 PID 2776 wrote to memory of 1304 2776 DllCommonsvc.exe 71 PID 2776 wrote to memory of 1304 2776 DllCommonsvc.exe 71 PID 1304 wrote to memory of 280 1304 cmd.exe 74 PID 1304 wrote to memory of 280 1304 cmd.exe 74 PID 1304 wrote to memory of 280 1304 cmd.exe 74 PID 1304 wrote to memory of 1288 1304 cmd.exe 75 PID 1304 wrote to memory of 1288 1304 cmd.exe 75 PID 1304 wrote to memory of 1288 1304 cmd.exe 75 PID 1288 wrote to memory of 2872 1288 winlogon.exe 77 PID 1288 wrote to memory of 2872 1288 winlogon.exe 77 PID 1288 wrote to memory of 2872 1288 winlogon.exe 77 PID 2872 wrote to memory of 1256 2872 cmd.exe 79 PID 2872 wrote to memory of 1256 2872 cmd.exe 79 PID 2872 wrote to memory of 1256 2872 cmd.exe 79 PID 2872 wrote to memory of 2172 2872 cmd.exe 80 PID 2872 wrote to memory of 2172 2872 cmd.exe 80 PID 2872 wrote to memory of 2172 2872 cmd.exe 80 PID 2172 wrote to memory of 1092 2172 winlogon.exe 81 PID 2172 wrote to memory of 1092 2172 winlogon.exe 81 PID 2172 wrote to memory of 1092 2172 winlogon.exe 81 PID 1092 wrote to memory of 1604 1092 cmd.exe 83 PID 1092 wrote to memory of 1604 1092 cmd.exe 83 PID 1092 wrote to memory of 1604 1092 cmd.exe 83 PID 1092 wrote to memory of 1512 1092 cmd.exe 84 PID 1092 wrote to memory of 1512 1092 cmd.exe 84 PID 1092 wrote to memory of 1512 1092 cmd.exe 84 PID 1512 wrote to memory of 828 1512 winlogon.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fDEC1nc6B.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:280
-
-
C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1256
-
-
C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1604
-
-
C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat"11⤵PID:828
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1564
-
-
C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"13⤵PID:2700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2044
-
-
C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"15⤵PID:2288
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:836
-
-
C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat"17⤵PID:1844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2256
-
-
C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat"19⤵PID:2916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2908
-
-
C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"21⤵PID:1780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2128
-
-
C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"23⤵PID:2920
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1576
-
-
C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"25⤵PID:2964
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\IME\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD589358719d4b75dd94db80ade3c574ee7
SHA1d4f5319ffd81d6357928ca6be9e31ee0992647a7
SHA256c3f26c158d01459ef4e4591caef2f9a2cbbbae8b6b1a15c68fd04e0c7a50cd76
SHA512902ae94725a94eb1874ebb885a7d9040ce8ebab2a5996d158455ab00c7ac5a7deeb2618f27976a089760202d45629a754ccaabd19c51cc3a0d83bf4ca741a6f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d707b3a992cae4e37b50ae7aa74a2642
SHA16f51cb668d031f19b4c0ad796f3663665359f31e
SHA2569b2ce8e2163f4dfc8e94365a9ce4ff6980ad4c3c41a62593a249180ba28c2734
SHA512e04c5e2d83772cdfb31d340348342daab4531269c0ce54ef5399c3c30214b4211e03cb006baf0f60a7285b6c158a13651b8e175d203cb339b009546e93fcd1df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8c78be433094ca0f4ffb81a58c4261d
SHA142f73136869219a35327d61af81e1390aa8c11c3
SHA25626d8096fb23f11c17b2bdeb5fb5b6912bbad92e42185a2ebf9c42a324bb2d9c4
SHA512da958d2b3a36ba6baffad02248c29e479efeb6bc7a8514ce54558f90c3d8aac13c6927f5549a9add2faf5059880f1029e521809e59376e4ec4e2c093eeea7a05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c733728a158fd15077df9e64f29c13b1
SHA1b0e1464ec27302a2e83ad0bd562320688a7820b7
SHA256aee0a0ee2502a806b848fc13a169dfc224f05af1ec52c48e354e9bde12de6ef0
SHA512b8a8be571caf457e7b8e9285672c080ba031d37da6e034ef66622089cd405f358741af734c8c20d0eb2c4bcf9d1a1a9b45ea098af3afd152b9e0ee928267828c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58d2c4c09dbbcf39ab76093390e224f25
SHA1d2069c89e315337016d632c0c7093be97080b517
SHA2566a75023a4d3cfec19623f34b6bc35ebefcb8c500eeff49bfcea1bd721c81f08a
SHA5121923241d1e741725bcb1241699b6ad14b6b4200a028cea71720b73956719c45ac7de922821e056fdcaae3a5293f212a00fa799147d2492dda1f5c336b1cba8a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56207cf0624c12b03ae3f332f061dfcf0
SHA11c18bae4e726afd9b1e594c26e9423618d6aab56
SHA256bbd1de0d0907ae12b43c073562fbd5f267072dbc7655ab61fb89f76d6d5e32aa
SHA512aecc4a0c4a9e32992697660ce18793dcab043ff83306cc25ed9bb681e347e11e96507c1538663975f993e99fc0ccb30e3ad67b42d47de832d6dc175123e5a3f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54da42bb29298faa1d680f066d89ddbf1
SHA1c6a7c82ad64e73b0dc6027a203f68496793779ad
SHA2565acdb5d08f429fa2ce0ea5abfa68fed69451dc30a81c6f6814b2a6d8a184305f
SHA51208409e3d252e3564945fc9f27c23c52fc68252c36de601d48ef91a5e563a5e4f33b514f6a734c37ffedd2124e9c10ecad7d294df6cd8099323ce69d2b925079f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a718139f9d715cd5baa1146a9a1a342
SHA13a1039e7927173240a1794a0a3250f831803a5e4
SHA256379aeb3602cba98046f275342479296515435876cc521e370918f740016c969e
SHA512ba0df2b7be02126863fbacc0fc2fa38335b1c345fff437732e964fdfdf63af2d74ab8e6b2b5603ec0f9cd9fe1eb2ae036a0aa3d08d5f99f81e81b324c818b55c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a204835838e40eb5892cb64e0fc060bf
SHA168c91a831cbc964a6bf44424ff2dcb4ce2c4fe5a
SHA256735627c94c3ef0b2394ecda108925c5530ec28ba333bf3ccc40362f7d7a74348
SHA512e2184d051e7b74c6c6aece6bdcac169eff4dfa89c5ad69c0c46eb56398fab682629b7edec01dab3a6e67da6ef35611d2ed0b671f833255bec677a663faeb1388
-
Filesize
225B
MD580e6e060cb2d926635c4553d798edfaf
SHA19d116c0943e67e7c144fd14908a750b30de791b1
SHA256bc3b922b74dae263f68e5c4b73855c9d2991fe9f8c8f0b576837b03262c4d0cb
SHA512d4d5f2a4881d3a4dd9aae87ce4047130f0d88e07533492c8c32ae39e761d992700ef028a2fc19252a6c3af2197d790768d957f7091d6b18bbeadc329bd113233
-
Filesize
225B
MD5dc5b6ba566ed5eebc507ab2b3961de77
SHA1bc0b2a738c7c6e193549a480f222a06b299dee98
SHA25613046a877bd54c66e085ae654027566258b69b6e2759f4d9800496d7899766b5
SHA512f7d4010c0ddce4b5bac6b8d8f9d881b0b71162ae237b51bf82bc877c8e7b43513e8869d68a8c0850a322d320ae8c1dfb7cd2f2b508748fdc0ec8675dc9109290
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD557ad5ba22b222923c807e63a73f11a63
SHA19e2c44c3ccc7ff123e8e51381a2a478457017345
SHA256a26b5288ce76a3b544108fc74eebe1adc5072d301eb7ac1b9a214dfe533cdaa7
SHA5124a7d0b37fd941f8ed10c26996af7d2785c8a7770243d06ff61c463e30c92b692aa5b47162b0281520595dc253617d012fd4c1f1c7b76dbb4aa10a87c2c930ba5
-
Filesize
225B
MD54ab68fbd51b5ab353904b32295194c65
SHA15fd8fc7b2934af80f97c2952659eedc3e920410b
SHA2568b25dffe75f6217120928a361377a1bc0a2ec3c67bc991db664362dbed631717
SHA512006ba7ca59c6bb4acdacd8e89ea05257a4bc6d6c0cc015ef47f2fb0edf34c317ebc21bfc7f9cb53c549f968a85755096037bbf46269ccf87ffa93b8143d1d9d1
-
Filesize
225B
MD5f6520e70bedababeaddbcf7edf42358d
SHA17b537ff2b5361c051bfc0db0d615a90368cb3385
SHA256ef71d528c41f54752bf5056732622bdfb4fd60966a1bddea4f2f484163f43279
SHA5122975dfdfa1163489a9020e5af88b539f965597558a172a2546bf484f4024b246b2fe1d9e81ca1865a54b2e13b1baf40de992d74145678225eac8501835dcbe85
-
Filesize
225B
MD5ef34ff189523570bb63058d09cb076fe
SHA1603644e4c59602aeb2c35dfc5e29c86fe178fbab
SHA256d9b93320c39879112293a05a732c83f5a219e77f1104d1e141924bfd5594b6ae
SHA51292331b414e7ff4b32ac28d232c24bde1970de737d52d96115b73cf2747e6a0e91ccda5be22afbdbcca32ffbe42c290eade738faa43a113259c690b3c1aba1194
-
Filesize
225B
MD5856f28b6f7239053ef2e51173adc75a5
SHA11e3c09802d86d0c1262c64671f46289abdd47120
SHA2568c27745c5c64701d219a609c44facc8557017c2f6173cce190438139b20e0e45
SHA5129017e175925ebce84ef1e7a424c8ec463033a05412699942c4e9b629258df80dec42e6c5289963bdc85d1c5e49bae3769db62851e58c90426e0000688cde96d4
-
Filesize
225B
MD5465d7b7263942389eea08a64f2bbcb52
SHA10f4fa4052b5101529712b39c143164ee0b92f786
SHA256d4e8aa959a9929eb7aa137d48739c6896fbe482954419d1e7d40d14b8075425b
SHA512290e0425b912a1744b34aae813821a5753236b6b856ae4b5b7c59a1cdd3afe4b014b7e60413b1e010dda8ad54ab05f153309fdd9b5d8d21a51692fef541bf600
-
Filesize
225B
MD5a95a29a4fa926e584d2f5ff1d1830e10
SHA1626b4b5ae874e27838a831a4f28f51d7c68139d6
SHA256bad8c9d0da7f370a32f2a8d363abbb1638ea5b3ce25388420b482e51d5dd330d
SHA512bfbc21f147bbdb40c0aefdb533f01ef8153227ced870c11b4fa103c2d0147cdf25e97bdc47434c166594605eb8546b8a3de1106d6afda33316e425e3bcad9e67
-
Filesize
225B
MD5ab97b100ebc2156a1c8b2dbeb3ba849d
SHA1fa031a6c5664533db13991f92a774bfd2b4ae2a9
SHA256b4b196cb69ec19aa05fea1a26f4a19dae6ada03357c2a930e089089c1c7592b1
SHA5126359e3834ce1bc0dd8cb8353b187c27a473bdbcad2cf05b1f82ac2730d35b0a297edbb383d5003c5c23d01f6298553fadcd52a1a43673509aeac55b11ce06383
-
Filesize
225B
MD583e24d37de499c47559c77d4d7029428
SHA187226bc07d1aae67b31d2b27c1d0a7e067fb83b8
SHA256412200f43d6313b69d3d6d2655b98cb4a480089c7e7b5dd9d65ea27137ed82fb
SHA512dc7447d8b85653f8f957a86cb26772cc71a0089fe48097ef770c162805c55aa617a71b6a5b88d5f0188a1e8a076795140d82d8aa228259dd435b3330a2a57820
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b1fee55af8892b8b14822acbb124dbd5
SHA17468f859381525d6dadda9746765745ee8d51e94
SHA25635b06fab65b455db83a02ad872c2e3975d7af957b963c0195dc98b95e6e72319
SHA512751309673b0e8c3c83cd6b00600e3c6926fcab0a7824155c91d7590954215fac400a6155b5503619ad2f6bf005c205fad79c016f112ff53ff75d77802f8d7001
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478