Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:10
Behavioral task
behavioral1
Sample
JaffaCakes118_2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26.exe
-
Size
1.3MB
-
MD5
9c5d6205bcf77f2e6e9d3646b81c30c0
-
SHA1
95f5f5502c886279b02b7ab9f649de270762ce4c
-
SHA256
2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26
-
SHA512
38bdbb41021650480e7931418a268cf2b6950f873563751cdf8b0b1a92505a707e73a719f6fe7061690d7f077590d5176c94a5a20cec6a28f9a6ab68fd6cc2ca
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2740 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2740 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000019605-9.dat dcrat behavioral1/memory/2964-13-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat behavioral1/memory/1548-61-0x0000000000920000-0x0000000000A30000-memory.dmp dcrat behavioral1/memory/3052-120-0x00000000009F0000-0x0000000000B00000-memory.dmp dcrat behavioral1/memory/2056-180-0x0000000000BB0000-0x0000000000CC0000-memory.dmp dcrat behavioral1/memory/2608-240-0x0000000000CE0000-0x0000000000DF0000-memory.dmp dcrat behavioral1/memory/2972-361-0x0000000001100000-0x0000000001210000-memory.dmp dcrat behavioral1/memory/2140-422-0x00000000012B0000-0x00000000013C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1560 powershell.exe 1512 powershell.exe 2844 powershell.exe 2876 powershell.exe 3008 powershell.exe 2896 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2964 DllCommonsvc.exe 1548 cmd.exe 3052 cmd.exe 2056 cmd.exe 2608 cmd.exe 1080 cmd.exe 2972 cmd.exe 2140 cmd.exe 1812 cmd.exe 1844 cmd.exe 2040 cmd.exe 1520 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2916 cmd.exe 2916 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 22 raw.githubusercontent.com 36 raw.githubusercontent.com 40 raw.githubusercontent.com 4 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\VideoLAN\Idle.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24 DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Tasks\OSPPSVC.exe DllCommonsvc.exe File opened for modification C:\Windows\Tasks\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\Tasks\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Windows\Registration\cmd.exe DllCommonsvc.exe File created C:\Windows\Registration\ebf1f9fa8afd6d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 900 schtasks.exe 568 schtasks.exe 1348 schtasks.exe 1584 schtasks.exe 2788 schtasks.exe 2652 schtasks.exe 2728 schtasks.exe 2400 schtasks.exe 2240 schtasks.exe 2024 schtasks.exe 2388 schtasks.exe 2320 schtasks.exe 2708 schtasks.exe 3024 schtasks.exe 2872 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2964 DllCommonsvc.exe 2964 DllCommonsvc.exe 2964 DllCommonsvc.exe 2964 DllCommonsvc.exe 2964 DllCommonsvc.exe 2876 powershell.exe 1512 powershell.exe 2896 powershell.exe 3008 powershell.exe 2844 powershell.exe 1560 powershell.exe 1548 cmd.exe 3052 cmd.exe 2056 cmd.exe 2608 cmd.exe 1080 cmd.exe 2972 cmd.exe 2140 cmd.exe 1812 cmd.exe 1844 cmd.exe 2040 cmd.exe 1520 cmd.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2964 DllCommonsvc.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 1548 cmd.exe Token: SeDebugPrivilege 3052 cmd.exe Token: SeDebugPrivilege 2056 cmd.exe Token: SeDebugPrivilege 2608 cmd.exe Token: SeDebugPrivilege 1080 cmd.exe Token: SeDebugPrivilege 2972 cmd.exe Token: SeDebugPrivilege 2140 cmd.exe Token: SeDebugPrivilege 1812 cmd.exe Token: SeDebugPrivilege 1844 cmd.exe Token: SeDebugPrivilege 2040 cmd.exe Token: SeDebugPrivilege 1520 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 2028 2300 JaffaCakes118_2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26.exe 30 PID 2300 wrote to memory of 2028 2300 JaffaCakes118_2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26.exe 30 PID 2300 wrote to memory of 2028 2300 JaffaCakes118_2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26.exe 30 PID 2300 wrote to memory of 2028 2300 JaffaCakes118_2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26.exe 30 PID 2028 wrote to memory of 2916 2028 WScript.exe 31 PID 2028 wrote to memory of 2916 2028 WScript.exe 31 PID 2028 wrote to memory of 2916 2028 WScript.exe 31 PID 2028 wrote to memory of 2916 2028 WScript.exe 31 PID 2916 wrote to memory of 2964 2916 cmd.exe 33 PID 2916 wrote to memory of 2964 2916 cmd.exe 33 PID 2916 wrote to memory of 2964 2916 cmd.exe 33 PID 2916 wrote to memory of 2964 2916 cmd.exe 33 PID 2964 wrote to memory of 2844 2964 DllCommonsvc.exe 50 PID 2964 wrote to memory of 2844 2964 DllCommonsvc.exe 50 PID 2964 wrote to memory of 2844 2964 DllCommonsvc.exe 50 PID 2964 wrote to memory of 2876 2964 DllCommonsvc.exe 51 PID 2964 wrote to memory of 2876 2964 DllCommonsvc.exe 51 PID 2964 wrote to memory of 2876 2964 DllCommonsvc.exe 51 PID 2964 wrote to memory of 3008 2964 DllCommonsvc.exe 52 PID 2964 wrote to memory of 3008 2964 DllCommonsvc.exe 52 PID 2964 wrote to memory of 3008 2964 DllCommonsvc.exe 52 PID 2964 wrote to memory of 2896 2964 DllCommonsvc.exe 53 PID 2964 wrote to memory of 2896 2964 DllCommonsvc.exe 53 PID 2964 wrote to memory of 2896 2964 DllCommonsvc.exe 53 PID 2964 wrote to memory of 1560 2964 DllCommonsvc.exe 54 PID 2964 wrote to memory of 1560 2964 DllCommonsvc.exe 54 PID 2964 wrote to memory of 1560 2964 DllCommonsvc.exe 54 PID 2964 wrote to memory of 1512 2964 DllCommonsvc.exe 55 PID 2964 wrote to memory of 1512 2964 DllCommonsvc.exe 55 PID 2964 wrote to memory of 1512 2964 DllCommonsvc.exe 55 PID 2964 wrote to memory of 2752 2964 DllCommonsvc.exe 59 PID 2964 wrote to memory of 2752 2964 DllCommonsvc.exe 59 PID 2964 wrote to memory of 2752 2964 DllCommonsvc.exe 59 PID 2752 wrote to memory of 2004 2752 cmd.exe 64 PID 2752 wrote to memory of 2004 2752 cmd.exe 64 PID 2752 wrote to memory of 2004 2752 cmd.exe 64 PID 2752 wrote to memory of 1548 2752 cmd.exe 65 PID 2752 wrote to memory of 1548 2752 cmd.exe 65 PID 2752 wrote to memory of 1548 2752 cmd.exe 65 PID 1548 wrote to memory of 2300 1548 cmd.exe 66 PID 1548 wrote to memory of 2300 1548 cmd.exe 66 PID 1548 wrote to memory of 2300 1548 cmd.exe 66 PID 2300 wrote to memory of 2756 2300 cmd.exe 68 PID 2300 wrote to memory of 2756 2300 cmd.exe 68 PID 2300 wrote to memory of 2756 2300 cmd.exe 68 PID 2300 wrote to memory of 3052 2300 cmd.exe 69 PID 2300 wrote to memory of 3052 2300 cmd.exe 69 PID 2300 wrote to memory of 3052 2300 cmd.exe 69 PID 3052 wrote to memory of 1836 3052 cmd.exe 70 PID 3052 wrote to memory of 1836 3052 cmd.exe 70 PID 3052 wrote to memory of 1836 3052 cmd.exe 70 PID 1836 wrote to memory of 3012 1836 cmd.exe 72 PID 1836 wrote to memory of 3012 1836 cmd.exe 72 PID 1836 wrote to memory of 3012 1836 cmd.exe 72 PID 1836 wrote to memory of 2056 1836 cmd.exe 73 PID 1836 wrote to memory of 2056 1836 cmd.exe 73 PID 1836 wrote to memory of 2056 1836 cmd.exe 73 PID 2056 wrote to memory of 2184 2056 cmd.exe 74 PID 2056 wrote to memory of 2184 2056 cmd.exe 74 PID 2056 wrote to memory of 2184 2056 cmd.exe 74 PID 2184 wrote to memory of 2828 2184 cmd.exe 76 PID 2184 wrote to memory of 2828 2184 cmd.exe 76 PID 2184 wrote to memory of 2828 2184 cmd.exe 76 PID 2184 wrote to memory of 2608 2184 cmd.exe 77 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wMvxJuE7fS.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2004
-
-
C:\Windows\Registration\cmd.exe"C:\Windows\Registration\cmd.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2756
-
-
C:\Windows\Registration\cmd.exe"C:\Windows\Registration\cmd.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:3012
-
-
C:\Windows\Registration\cmd.exe"C:\Windows\Registration\cmd.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2828
-
-
C:\Windows\Registration\cmd.exe"C:\Windows\Registration\cmd.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"13⤵PID:2472
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2920
-
-
C:\Windows\Registration\cmd.exe"C:\Windows\Registration\cmd.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"15⤵PID:2148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2784
-
-
C:\Windows\Registration\cmd.exe"C:\Windows\Registration\cmd.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"17⤵PID:2000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:568
-
-
C:\Windows\Registration\cmd.exe"C:\Windows\Registration\cmd.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MQa1PIx8rY.bat"19⤵PID:1608
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:892
-
-
C:\Windows\Registration\cmd.exe"C:\Windows\Registration\cmd.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"21⤵PID:2728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:988
-
-
C:\Windows\Registration\cmd.exe"C:\Windows\Registration\cmd.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"23⤵PID:1492
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2160
-
-
C:\Windows\Registration\cmd.exe"C:\Windows\Registration\cmd.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"25⤵PID:2620
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:352
-
-
C:\Windows\Registration\cmd.exe"C:\Windows\Registration\cmd.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"27⤵PID:592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:1452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Tasks\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Registration\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5daf540861f5efa2f00c1e27e5989d5d2
SHA10fd13ea3997aeefc767d1e1b3bdf18d006579f1c
SHA256796e0b50a98aeea370542f5c0b7d881e058b00298527c1818932421a956ffdce
SHA512299a8ef78724528bec484974a1e6e1a5d203b0c5f8c3e59247933703759c972d5ad8d86114eb457ff3c3f01bc4613bc35763f599b5db1f672728a6454d8479b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD552e5374433235a0779d211d83b3c9038
SHA1de84c1b24df6347ebf5498fd10d87c79d9b078ee
SHA2566965e58146a4c3829c3ce5d672f85388e6d16d4cecc230028a089188b147a446
SHA512430bdaf8b8517624afb413a5bcefdaa2678392cba98dae00e893fead4c1a933bb064732383ef8ecdf4987a6973cda04009c9aac1f0adca752f660309f96f3797
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c37728432896b5259517a75ab1521007
SHA12a21eb9a8ac049ff9d17fb50aba4468c3aaf4d6d
SHA256a4b52b3782862130341bb6b5af50efb2c416d72943f77cf448a9b7c4fb8f587b
SHA512838f2e7bbd59c7b3786c332a15952ffec0c822a4200ee15c461c9b4a84d0b04aa7b8d0c386f8ae924d2bbfbae993e6a2c464df770931226b8eeabea7bfe1521c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD585878485e31bfa91db3f077e03c7f47b
SHA1bd52149354fca7569aad36de87ffe8f6c6b9e634
SHA2564e71c649618f78c82cc427668ef4ca9bf2020c6540dace371a72b2af6d3193e1
SHA5121d987a71c0afdc0b11a15271b5e9e9beb171f445d11a92b9b562b2ac671ea437028bb9f8421edd1ceb9d160612770375301ff0ae38b31aa8dcc8b18d91dc2cb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a29071f6d3d0c4883044f89b1a6b4da
SHA1c16b1fece3bb701f009c411e2425e4e171bae926
SHA25699c011a992385d2e6b54666c74d2a6ba373c0ea1e4d8daab1fa5059fab7e840c
SHA512c2eb88af8d78e30a60337248171c5e086941216f73734cd2e65f7be3c5c69e96cab577780fe21d11a653122ecec74754d37736121cd38c1a31c5f4e85eb8c7ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57eb6b45ef55c0bf6392cfb76dfe8d11d
SHA1451dbc2e5d72dc6d6bfcf0d03f5186927b5973c4
SHA256a58cec06d872f63cdce0258634bc55fbe73d78c3cb28976a84bf7468a297f03e
SHA51249f4cc1aec59a324da7b2ab6b6d7d1cd4929fdfed435e14039d1a31a60aca2db64fd1d45f8999bb0e8883a8e5e20fb13cdba34d379e50f2e9863d7186701fc04
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5be1c79eefe54206cd6ec187ac7afb0cf
SHA16de4d3099ea07467036565e43c80fb0c3d8d1cbd
SHA256ba94bf9587b37cdb4ecb7c219a0d303b710a776bdbad97577fc9426d03e02de3
SHA512acf4fbe114a171e5786e5f6829cfab06b2941e5230344bcb8c11e94e6514b3d12db3d57521f7df377c77fff57c5a0546d6d748c5a881d4b6f10beafdd952016f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55dfd59155494b801205bf24d024db85f
SHA1497138dfe7525607b4b97df2421db2ae3d052369
SHA256cf87f58c8775d3ac3b72a4da124ea421883a8c44cdc1fd9049823e91d5cdeedc
SHA512a44033ba96507b597aaeeac3a3f6bacb655cb3f399e49eaf009fd9732d1c073d502f86c02c015b93b70d273fa3fc76553a1f168fdb6c735b2814ba22ae953616
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD578314b530fed79da0badb4881c4d0341
SHA1ed34ddc8763cb1b2f8bcfee761c4b65291c180b3
SHA256b495b20af164146eea987ef48ad2841b649060ca89b57ee618ccd1e5b489554e
SHA512eeb8beb1d428b527f741ae505db1c0a68638324c0a7e978f5d09d90994e50549537faf8b692d013e230256773414cdf72a9ee86228ed0c99267d7da45354e607
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54cc83329fb545bd6d0eb0cdec6ea13c2
SHA119e04fe8e53ad88bc1a33945ad5c67d45499046b
SHA256548f35dbf476709f1f0ff061844eef81104393c0fd84b85b411f212b089e6d6a
SHA51278aa8b534265f9d89f7312e7364615c03f9b9647c93de528a939a68b628420fdfbc5ad9197b27141a1f64ec70cc43d1aacffeed21b8653d8febd7ce5d677fcf0
-
Filesize
196B
MD50ea1c25dfd486678488e003997be493b
SHA1f6b77be52fae79d5dea62ea571e8b697b0ff564d
SHA256cb55d4f53d1bffe9671a1bfa3349b60db18a775147c6dae361f7583c2f9feb35
SHA5128d04fbc24564053bca849dc647cfb46a0a7d0e0132c8851de8fb169355ab0517f2a97ca94f9fed336b69248f8d6b7f0ad77f820beec2ebbbc867db84f32f35a2
-
Filesize
196B
MD5c4cf3d725cb7417fbb028fee59b33b62
SHA13a927dde01f5e0ae82f25c9c322a9000ece0c4d8
SHA25659a26b7b5600ac6d29cadb42a58e669bb3f9c20e6c4825b039a469a3c847b9e6
SHA512e32525d6a19743d1762bbe8a33aa832594a084be0d5f172e1c16796f6bd83ac424df8a31a73d101367868dac553087e35d9702b83854b193cdb2c33d4cf164c4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
196B
MD53085af1de0f07c98ac7243a8ca98e41e
SHA1e4e42f5f0ecac9577c6720593dd0fec8abcbda40
SHA2568191ace655d2feb3348ddd6674d16539027cc7fdddba7834af2bfc4fa6dbad0b
SHA512a670de526c585961dca7241f13c1744898357fb2f9c35fd1ea0312388f776f640a1b340272fa46a8e1b64dc0275796390813d9c49a2565ada4eb9948f6ecda59
-
Filesize
196B
MD53d8df2d3f77744fd38b38054cd1cdf41
SHA18483ad8049c7f5d413042e45533a34ab1cde57f5
SHA256c93753889083cc5471059658c69ee4a6c9871a4d7f82747771bb97940f9da127
SHA51233ff5672531f25a44b14af7b35f3848ba6815b5328b2d5a942c53a41bacf78c613589895927e2789fedf067447ed0f0deffe97387e2b08f6ad21789e55c00638
-
Filesize
196B
MD510cc86eb07cdad712895cb4d5b151b16
SHA1d5515f43ccc852ccfdecb4034d7a526b68daea2b
SHA256887c35a8f52b9ded19a88947a8c4f1b243c2ee73458ab8ebbee1751a9c7e3409
SHA51262f33934eeea6be2faf4a984b786685de0937ef722291f3dc968b5deea03017627ae5292bf6e642ca08241c77aa09ff4e91bcd5bee434c0b4ad8e9fd683e1426
-
Filesize
196B
MD53ec60240ed322630f44bae6dbedc8f58
SHA1ef87a824c0ac02f97f93f5f5cf31694fe83ac13a
SHA2569ab50f9c1078e3bf91d97f6ce5a8d8cbe6cda29025f738d928fa3e96bc4dd2ab
SHA512c15fe40554351064339dc027d86a544a4f67e3c42200fbe7c19686805cfe55f725c3351555fd6f0abea3551dfb86c8feda6e336c6e38e991020d9fbcacb2b604
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
196B
MD51b18362a55d1dbee4b28a279c5e2805d
SHA112469eb458cd6c57a0bd32c00a758b0601dbc732
SHA256ac4b6051af607a7728148c449c6be2d7c0f49c4f3e124d938feff8960bf9cd09
SHA512604acfc5e98f3a5816389a51b67817e4c85f808ab22e7164d7eec498ee14fee0d9ea4d12fca7396278b4945ff81ba39fd463f88ab798d2081e160b3e9206bfdc
-
Filesize
196B
MD5dea41afd14f592a554f17480a1351676
SHA16e74083d86163ca8217d7b4631abf679940cb08c
SHA256f962f13df8d409bb68a647fb7838571aec642ef41f4fe74f5933b61f083ef9b1
SHA512ea1e07db31a85241e304383bec5b334bd40a97b0398f4c5e1fe03d88bff90de268ec65b16f1525fb7a26878dcdb709a727aba7ab3e016f64f75fc475bb74fd22
-
Filesize
196B
MD5038a3ccdbc4716c67a6634dcfc8ff48a
SHA18f5da0d70ab91a6318d6789696e52559c4391550
SHA25626f2f3d01d56d5cac8fa8ebd1d74dc87ba4d84f1cd12d49f47af1b0e3cf74777
SHA5127122b63335fdaec0aca7bb1525a9f8b3e8488ba042a4f42d47957f245ad2ef2748782fe4cb4d5ebf7904398c479f6f30420635ce3f28c1047168d21182af88c8
-
Filesize
196B
MD548943f96c1e2a4fcacb16d29b2dc43c5
SHA1551092ce59a9570356528be18c76e7bbfb26daa6
SHA256f1fa1ec9a9f996551773815215619ec52d2e245cb88b172e9354e2f158fbe88d
SHA512aa112a1abe6f00d0e74064ed6686967923a952d80fb89d38c6c5138997ef94d3115726499a17e15626d35bc911f89ecc5d96a1a3ef732f60035fd9bf513adb81
-
Filesize
196B
MD5b8732b484bd5b02809383b1d7d20930a
SHA1c0f597d0b9ba571315e24c14bb063a09726966ca
SHA25642fc88557ed07a859bac2a2c6c177dabd2fc428e42d53aa3535dad00495e2f7e
SHA512e9be5161bf408ad626a6e764f829a88ec153797b6863e4e3da19223e6b210ff569172e9ba1e20ee7c6a13278052d7a7991d6fe6be5417fe1f124f90d4aa655bb
-
Filesize
196B
MD5fab2e44ec9f08a446fc54e63840ccae1
SHA145c35a7ca9b239cded63694eee0025c25cf518db
SHA2568ef81cc00306a224e9018664d74316ddf549ce81e7d92aaf69ce7f2834abbab2
SHA512a523159b396c62a3fd320aacf3d90180842dffae5874ad061cb0595e1b9cbe9a18981b0cae2c311e1ff8515df5e0fd28a8935664e1c26ce94b66239ab80a189d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bee66c3a8c99cdcfe160c74eec5795a7
SHA1ca8e888af5cfd8626792f6ae89ddc6a81dbf6c69
SHA256e6c2824f8592ce2543eaafef2e23fd2bedcb334f6c180d808a152ff14976c410
SHA512e666c604281c3cfa7bb598bd0555d7696e0a589ca85c22c8ddb6d9db583ec57317dd78bc3e9a31dd42df9c4aaf22086c12d7dffae46d218afb372ff75a8ca09c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394