Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:46
Behavioral task
behavioral1
Sample
JaffaCakes118_871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3.exe
-
Size
1.3MB
-
MD5
e090284969f9630b6cca5bc3f9565d80
-
SHA1
bd1d695b0c5c0f426623d739156118b02a4f4cf6
-
SHA256
871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3
-
SHA512
aafd7f2f2ea2003d2a0c3b2fed5f7dab502ab43623ebf130885773d23e135507c05580cb7b72cfc2f841aed21ff1b48134df2266022515a1bb5e5e323bd145e4
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2800 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016858-9.dat dcrat behavioral1/memory/2148-13-0x00000000009A0000-0x0000000000AB0000-memory.dmp dcrat behavioral1/memory/1224-44-0x00000000011D0000-0x00000000012E0000-memory.dmp dcrat behavioral1/memory/1596-81-0x0000000000C30000-0x0000000000D40000-memory.dmp dcrat behavioral1/memory/2836-140-0x0000000001360000-0x0000000001470000-memory.dmp dcrat behavioral1/memory/2216-201-0x00000000002B0000-0x00000000003C0000-memory.dmp dcrat behavioral1/memory/1028-261-0x00000000003C0000-0x00000000004D0000-memory.dmp dcrat behavioral1/memory/1528-322-0x0000000000CB0000-0x0000000000DC0000-memory.dmp dcrat behavioral1/memory/2620-382-0x0000000001120000-0x0000000001230000-memory.dmp dcrat behavioral1/memory/2004-560-0x00000000013B0000-0x00000000014C0000-memory.dmp dcrat behavioral1/memory/1476-620-0x0000000000290000-0x00000000003A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2592 powershell.exe 2108 powershell.exe 2292 powershell.exe 1932 powershell.exe 828 powershell.exe 2576 powershell.exe 2584 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2148 DllCommonsvc.exe 1224 DllCommonsvc.exe 1596 dwm.exe 2836 dwm.exe 2216 dwm.exe 1028 dwm.exe 1528 dwm.exe 2620 dwm.exe 2712 dwm.exe 2444 dwm.exe 2004 dwm.exe 1476 dwm.exe -
Loads dropped DLL 2 IoCs
pid Process 484 cmd.exe 484 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 12 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 36 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\csrss.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\csrss.exe DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CSC\v2.0.6\dwm.exe DllCommonsvc.exe File created C:\Windows\RemotePackages\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\RemotePackages\24dbde2999530e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2116 schtasks.exe 876 schtasks.exe 2816 schtasks.exe 1128 schtasks.exe 2840 schtasks.exe 2132 schtasks.exe 2184 schtasks.exe 1476 schtasks.exe 2700 schtasks.exe 2144 schtasks.exe 2260 schtasks.exe 1468 schtasks.exe 2744 schtasks.exe 2256 schtasks.exe 2096 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2148 DllCommonsvc.exe 2576 powershell.exe 2584 powershell.exe 2592 powershell.exe 1224 DllCommonsvc.exe 828 powershell.exe 2292 powershell.exe 2108 powershell.exe 1932 powershell.exe 1596 dwm.exe 2836 dwm.exe 2216 dwm.exe 1028 dwm.exe 1528 dwm.exe 2620 dwm.exe 2712 dwm.exe 2444 dwm.exe 2004 dwm.exe 1476 dwm.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2148 DllCommonsvc.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 1224 DllCommonsvc.exe Token: SeDebugPrivilege 828 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeDebugPrivilege 1596 dwm.exe Token: SeDebugPrivilege 2836 dwm.exe Token: SeDebugPrivilege 2216 dwm.exe Token: SeDebugPrivilege 1028 dwm.exe Token: SeDebugPrivilege 1528 dwm.exe Token: SeDebugPrivilege 2620 dwm.exe Token: SeDebugPrivilege 2712 dwm.exe Token: SeDebugPrivilege 2444 dwm.exe Token: SeDebugPrivilege 2004 dwm.exe Token: SeDebugPrivilege 1476 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1812 wrote to memory of 2000 1812 JaffaCakes118_871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3.exe 30 PID 1812 wrote to memory of 2000 1812 JaffaCakes118_871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3.exe 30 PID 1812 wrote to memory of 2000 1812 JaffaCakes118_871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3.exe 30 PID 1812 wrote to memory of 2000 1812 JaffaCakes118_871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3.exe 30 PID 2000 wrote to memory of 484 2000 WScript.exe 32 PID 2000 wrote to memory of 484 2000 WScript.exe 32 PID 2000 wrote to memory of 484 2000 WScript.exe 32 PID 2000 wrote to memory of 484 2000 WScript.exe 32 PID 484 wrote to memory of 2148 484 cmd.exe 34 PID 484 wrote to memory of 2148 484 cmd.exe 34 PID 484 wrote to memory of 2148 484 cmd.exe 34 PID 484 wrote to memory of 2148 484 cmd.exe 34 PID 2148 wrote to memory of 2576 2148 DllCommonsvc.exe 42 PID 2148 wrote to memory of 2576 2148 DllCommonsvc.exe 42 PID 2148 wrote to memory of 2576 2148 DllCommonsvc.exe 42 PID 2148 wrote to memory of 2584 2148 DllCommonsvc.exe 43 PID 2148 wrote to memory of 2584 2148 DllCommonsvc.exe 43 PID 2148 wrote to memory of 2584 2148 DllCommonsvc.exe 43 PID 2148 wrote to memory of 2592 2148 DllCommonsvc.exe 44 PID 2148 wrote to memory of 2592 2148 DllCommonsvc.exe 44 PID 2148 wrote to memory of 2592 2148 DllCommonsvc.exe 44 PID 2148 wrote to memory of 2004 2148 DllCommonsvc.exe 48 PID 2148 wrote to memory of 2004 2148 DllCommonsvc.exe 48 PID 2148 wrote to memory of 2004 2148 DllCommonsvc.exe 48 PID 2004 wrote to memory of 2908 2004 cmd.exe 50 PID 2004 wrote to memory of 2908 2004 cmd.exe 50 PID 2004 wrote to memory of 2908 2004 cmd.exe 50 PID 2004 wrote to memory of 1224 2004 cmd.exe 51 PID 2004 wrote to memory of 1224 2004 cmd.exe 51 PID 2004 wrote to memory of 1224 2004 cmd.exe 51 PID 1224 wrote to memory of 2108 1224 DllCommonsvc.exe 61 PID 1224 wrote to memory of 2108 1224 DllCommonsvc.exe 61 PID 1224 wrote to memory of 2108 1224 DllCommonsvc.exe 61 PID 1224 wrote to memory of 2292 1224 DllCommonsvc.exe 62 PID 1224 wrote to memory of 2292 1224 DllCommonsvc.exe 62 PID 1224 wrote to memory of 2292 1224 DllCommonsvc.exe 62 PID 1224 wrote to memory of 828 1224 DllCommonsvc.exe 64 PID 1224 wrote to memory of 828 1224 DllCommonsvc.exe 64 PID 1224 wrote to memory of 828 1224 DllCommonsvc.exe 64 PID 1224 wrote to memory of 1932 1224 DllCommonsvc.exe 65 PID 1224 wrote to memory of 1932 1224 DllCommonsvc.exe 65 PID 1224 wrote to memory of 1932 1224 DllCommonsvc.exe 65 PID 1224 wrote to memory of 1680 1224 DllCommonsvc.exe 69 PID 1224 wrote to memory of 1680 1224 DllCommonsvc.exe 69 PID 1224 wrote to memory of 1680 1224 DllCommonsvc.exe 69 PID 1680 wrote to memory of 2312 1680 cmd.exe 71 PID 1680 wrote to memory of 2312 1680 cmd.exe 71 PID 1680 wrote to memory of 2312 1680 cmd.exe 71 PID 1680 wrote to memory of 1596 1680 cmd.exe 72 PID 1680 wrote to memory of 1596 1680 cmd.exe 72 PID 1680 wrote to memory of 1596 1680 cmd.exe 72 PID 1596 wrote to memory of 772 1596 dwm.exe 73 PID 1596 wrote to memory of 772 1596 dwm.exe 73 PID 1596 wrote to memory of 772 1596 dwm.exe 73 PID 772 wrote to memory of 2944 772 cmd.exe 75 PID 772 wrote to memory of 2944 772 cmd.exe 75 PID 772 wrote to memory of 2944 772 cmd.exe 75 PID 772 wrote to memory of 2836 772 cmd.exe 76 PID 772 wrote to memory of 2836 772 cmd.exe 76 PID 772 wrote to memory of 2836 772 cmd.exe 76 PID 2836 wrote to memory of 1196 2836 dwm.exe 77 PID 2836 wrote to memory of 1196 2836 dwm.exe 77 PID 2836 wrote to memory of 1196 2836 dwm.exe 77 PID 1196 wrote to memory of 448 1196 cmd.exe 79 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:484 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ms6Q8G3V4.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2908
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3CX563UFPi.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2312
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2944
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:448
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"13⤵PID:1300
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:988
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"15⤵PID:2392
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2864
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"17⤵PID:1976
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2672
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"19⤵PID:1992
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2220
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"21⤵PID:2740
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2632
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"23⤵PID:2148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2592
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"25⤵PID:2956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2224
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"27⤵PID:2312
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5030ab4b49ffdc337d43385702249f628
SHA1b9050b7d46b14af6974a2dd2995a16e084c1a96d
SHA2560551c5f6b372e9395823a6a5d4713b4bf27d2d29313188b467d10f8b3a976367
SHA512dcae3a245ee753c17910bf1be0edeffa1b79fbe1d75a29274a7b907f2a99dc7015aaf5d2f0e6c2abe30e710e5248e4b1f1199d8927bcb0e4b1ab9feef7626017
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57fdc43c03d6021ec1d3c6326acf44191
SHA1b5ca9c9cfdec3c9e61aa8d4a42ffd335830f2416
SHA2569a06a7d030687bc2d8b63d7fe012c16ff59102b78e1234675d12109e84f650b1
SHA5120bb6619d0717799f249ecf1c1cec86e7074a2d163e44a78b6c33d8ccf7d9b93adfaad54a74088ee4d28c36ada08e98e86fb6dc70ccdb1da175b70b71a9bef4eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54c7310568b1748183fcfb06d16caf63e
SHA1a5efff6aa938d75be53013f2bc6d36cfae4c1338
SHA256074ea5066f2aef5be9105603584b75c17132e3a1f6de7ff545edb00c06d105e6
SHA512fb796f8bcbe9cf26944076d940ba907eac08cd02347431c6fca0cdabcb10f53adc1d6f93f117bd1e489a2d4717ce9ef90bc76b77bf79955bd9820525106677b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD513ad4095a362bbfbcc2e75875f4b35bb
SHA1b79407edc29828d79d47a4f1a8e4855e00e40ef4
SHA256c2d68d647d1bf8755f480fa24cecd7b3f641e506372abe6896a01ad3421c7512
SHA51292a1b87361d83a577588a152ce2bb4bebd964f35dad623c70ddea8df06a6179d3ae4fd08deed83ba1661af63c7723caba4f37ceeb4547892f27562eb470d4002
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52885c5fe80ea3ab30c12d2e83bf94ac7
SHA1fb2b44667c011cfa99899ab5aa3171f672a63f86
SHA25648b4168f16e1e4360ed1217630501c5fba0b77bf431829e5a278dfb320b7db02
SHA512fd158a15604744efdeaaced8fa8b8f0bd879080e6ef5ead696b8bce3a96be6c846458496ab1667d5900a1f50d60dc3395b5faab0ecb2de0c70b6d27c2780cb1a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD558f45ff77a2855838782ec0d7698c438
SHA12e8d19bacad840ee7d41092c6b93f3ab2fd2c934
SHA256d5bc662fc68721dd10457f4455f9c1b89ec4ceea7f92b39a9a869e3e4cb5dd57
SHA5126ff1f840f34fe601e5a05367a0ea3c7de2efdfc4d06eb119eac4ba44d7e1ad486ffe9e3243f7b452663707b79ae0806befe0a6460e2c6db0c4f1a25f4106d3d9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e066fdfe3e953fd85d755efd08cdbaa5
SHA10c7aaf40618c06c78eafbb4b54a6dd97bd765af0
SHA256d4c3d6299ece0d9d382f06a603a6d46df5311eaf7f4bd27d8d7fcd04320a55c6
SHA51297f97b7b542d7e43d4395188500c1c985238dc862c374db76ee563f8834454288b79e965f6ca84b24472f27c8b9627fd5dad6873dd0189e206df340b43a6f361
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD530bfb66760fa0f2bb5c67c767a9defb2
SHA1268a12e52d741dd8629084e21439b48cc8342835
SHA256a5c8076070b038892e080cf2cf0784612da0e7eed0fd059cfcb2fa838e8a0607
SHA5125c75acb872c9f19e62b618ac81a1469513d520da70943ee6421409463843b28610556ea476b6840566eedf68b8e1f9eaa5bb579d6bc95b1ab95233d56a28249b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD555abe24da41c1dd15a6cf6c20e2d7416
SHA1dd9ae5b2628ba76ad58fe7ca6102951f4e08f451
SHA256d66e7c0db93fce241703cd130c2f55b63a04db14ae808802b85bee6ef5ad9a81
SHA512212e9886ceeff0e4a56e51f088765c6a581b33b1558f7b78379e9a3f120ca59e754b82c236a837035d8d1b7876012d90d5c42ed88cbec420160a2a38cf36acb3
-
Filesize
199B
MD59bf0df597af1342248b98d983ae90d7f
SHA1f24927f8ad0e628e7266eb6cd7ef68a8bcbcb226
SHA256f1cac5d614942096d2934c75b95be26c55349a9ca9bd7bb39ca7f59c5bc52cd8
SHA5126f5bf7ef97161c52a8e5708fe29a64b4d347af736f1ed5db39e5cbc108af8cb3c2a130b685ef907043ca2611307a7b7149c4d350e618d397701fbe1a40143e70
-
Filesize
235B
MD56af85ace3503ded9bd8fbcbfaef658e6
SHA1e8e4712845c828e8a31281947758f506c7ecb80c
SHA256b81c31f57c95a394c79ca378e73934e5cd83680830f4811f2b113ed3a8ebdf84
SHA512133cb4b549b52f5c340da10ea46d209f6f7f6a1df5b411af5f4012d4b82b229e7b0342dbbe491a5d571161c8da5a4fd328a344e585793d611f0ba553b35431af
-
Filesize
235B
MD537ca0c013a3a03ca62eb8df9b8aaa715
SHA1e11381cf0990c41d557b5df1b77a57f9becb4fdd
SHA256f7c68cb611597a3b41cef91b21237f6ca5bff2b9d8b83a6651f2d357b253e3c5
SHA512d0a9e54415c02d0ef993ccf46de564cb39a1608981f20de24c1a01497a5c28930e5db81c33a20f0d644e9d3c1fe8b43853e1c07d9d72994b48d27f773178cfe0
-
Filesize
235B
MD5e9c71ee866c46aeb4a9803abbe38d6d6
SHA1d09f26f3af35628e465925c85791793dd13bd503
SHA2563175c7c2e8e035bda46809395358645700e17e9d50afa9d9fc65e4cbdc96dea6
SHA51217d1c9daf841979152bdf4421fb37b90fc70547f22b42e4297db4c2a9c907d58a36f2776f4c60b6e1c0008f63ddab9aa93d0c007a3a0fdf86b5ffd06603b2a34
-
Filesize
235B
MD56705d801119fea5e06562b0e8cce3608
SHA165ac50f7a69e83e16e2c4a6e011a69a2ed2cc63e
SHA256316ba7913912b964cd99d834a7689181ca6f1f6ff793c0ea59e68d7248a12eba
SHA5129a88f2e60c8c4b3cb819b74c1cfe351ec2fd59fb04a24d3a4c0604108aeae846f918b4b4398ed01c30c151e0995ea8441a71248ef2b2885f06c5921e1d01e903
-
Filesize
235B
MD5688828b31d79aeb235c5d465ba6338db
SHA1f21a6777f1ca367b8362e569addc59261c964e20
SHA256642016f042fe391414e4e7b1cf7fc3153fc33dfde37046e16b727ebdaba0818d
SHA5122ca35a80f289afc8bf1a6aa5deded73bb7f6a2f8f7f13434a7e2d4df5688e82b91f544c8ec4bf2582102cf6c0c47ae8b4e04795330a0dc4bfbb5a20d2c5022f9
-
Filesize
235B
MD5f24f2c841ac47406dbe8d1ffb6a0c4cd
SHA19bce25c857ee2caece6e5d7c5fe74f414a89c105
SHA2569ed68db2f6fff388698b757929dfd5790fa3f3543efc116e7be7b14522c4b303
SHA512895f55bb216679f49d3ec02faf61f98eafdcbe6ee2bd231183e0ca6f25efe72e3ab181b7adb8cdb4dc665b37fc321951390a99f6d14400ab94801add0638510b
-
Filesize
235B
MD5551bbddff7bcb76ec41f9f7a42f1b50e
SHA144ad5fec5151e9b0581e7f44144d5e1b4adea7d8
SHA256d92bfa1d37475fc3a351b503608cd717fa025106c5aaa57642c4f01569645ad1
SHA5129c9653a8d5af82f49f8bc2e2c7006f15b93a141979d79aba6910e7a606a11a7c93e0f243ca33c8de95dc33df87e2033efda2bda8daabca50b8643dd7ee216aa4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
235B
MD51197adf3d3c7fe0714ea1a24bf14bec2
SHA100413e5dcbe442ce9bdaa57c0bcdef3b6b2c632e
SHA2563b55cbcb2ca8363bae08e79ea882884cd9c01eed9d4c5759534dbaa5ad85c175
SHA5126ef7abd6dfc99e15961e75ef9b0fff0728124ced83aede19087798075ca795925e55ad6e1f4d52218322d93cb556529d424cef157909d23387bfb60c66af50b0
-
Filesize
235B
MD57a677e3b85e79f42f8a8ecba47dd2d09
SHA177e616b44ee3fbab6631cb88e738737fd600ea38
SHA256feec65e693cc2d5b2ab7aa86649f1db9858d507ae79a7949449b7a793a8e9af0
SHA512c90e4189a4952505185817737fd2110073b02bb55c5d08c8e461e10cea63309dfe8b60bd5027f93cf220609a7490c4c998c556ecf8b18987263434e6fab36576
-
Filesize
235B
MD5c57b2d3267f328c1af7dfddb784b15fa
SHA11b707a792f3f62367f51424de0c32502f6cfefb7
SHA25657800920d1ff4e857ed868742ebea918cb0ec0c37551666074010de5663453a5
SHA512c917145b2e9e5b18c5e4e9510f4065c97dbb179e2eecba8ec7760ddd8bc156f0470fc41294e972bfa6073cec135a377f2cb64ae188c591f5be982232fbc9c30c
-
Filesize
235B
MD5869f8c274b07f490f59a9ff414f3bc4a
SHA14e8f46b3bfdd03aa265d5890c600aa1c989196e9
SHA256489998cecf46704cfc3f26d2f177b9bd18db9d122e7732bbbad46383d887d270
SHA5129ffd6ec198f265fc861fffa823762d0c9c95e4cab17287e508e7b9620d159be204d9eea131634cf526d6b6a8e3608846e3cc1e02a5e5453cef8611b9b0177a66
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a15f8928bebcf7e1771e2d59a6342177
SHA14288a77730b317b7456b3c40949243880bee33ae
SHA2564faaa98c11a61676685338515c28d64c893f8afb3de52389a0b086c54dc07c03
SHA512ec68957a47ed6bcc74f9b7e4eca46ab3ac6244eaa154213e30091a5fe9b4c976bf701b7a10101d9657c3b2e930007223951ba30c8c3982c084edf56618684335
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD576624376efa8e59c47ffb4c5dafbbe8a
SHA1a00b07d032e1a2e958ff01bf1329c5445f921676
SHA2562cbd9641e613bb71847bdc4eb98a6184e7ad05ca3be7d69b2a6bf7cf1fcfebd2
SHA512ff5ba08dc35e2a4fef3c55ff43e52e4c568eab1500d24153ff1610930389b67e87d3a66808acf1df18d77f9c2367e1163418cbc8f6edcd1f1763d3d148f1383f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394