Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 23:18
Behavioral task
behavioral1
Sample
JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe
-
Size
1.3MB
-
MD5
a0bdf4e53db7070e43b1763145a19178
-
SHA1
38b188e3b1f5be2b425dbf01dbf3a59a1d90176b
-
SHA256
00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5
-
SHA512
51e9049e5ad321ea367f95463b9a00c1d142995f489dd0824db1c1b2e607dbcd27285369a43278ef5d7698ce8dfe5809f4b8ba5791177fc0eff13373c6cf04df
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2840 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2840 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2840 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2840 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2840 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2840 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2840 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2840 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2840 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00070000000186fd-10.dat dcrat behavioral1/memory/2316-13-0x0000000000BC0000-0x0000000000CD0000-memory.dmp dcrat behavioral1/memory/3028-52-0x0000000001130000-0x0000000001240000-memory.dmp dcrat behavioral1/memory/1048-111-0x0000000000100000-0x0000000000210000-memory.dmp dcrat behavioral1/memory/1816-171-0x00000000000B0000-0x00000000001C0000-memory.dmp dcrat behavioral1/memory/1520-231-0x0000000000E00000-0x0000000000F10000-memory.dmp dcrat behavioral1/memory/2960-292-0x0000000001340000-0x0000000001450000-memory.dmp dcrat behavioral1/memory/2684-352-0x00000000001E0000-0x00000000002F0000-memory.dmp dcrat behavioral1/memory/2828-413-0x0000000000960000-0x0000000000A70000-memory.dmp dcrat behavioral1/memory/3060-474-0x0000000000990000-0x0000000000AA0000-memory.dmp dcrat behavioral1/memory/1152-593-0x0000000000070000-0x0000000000180000-memory.dmp dcrat behavioral1/memory/2396-653-0x0000000000C60000-0x0000000000D70000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1300 powershell.exe 1612 powershell.exe 1316 powershell.exe 1484 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2316 DllCommonsvc.exe 3028 WmiPrvSE.exe 1048 WmiPrvSE.exe 1816 WmiPrvSE.exe 1520 WmiPrvSE.exe 2960 WmiPrvSE.exe 2684 WmiPrvSE.exe 2828 WmiPrvSE.exe 3060 WmiPrvSE.exe 2720 WmiPrvSE.exe 1152 WmiPrvSE.exe 2396 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2328 cmd.exe 2328 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 31 raw.githubusercontent.com 38 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 34 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe DllCommonsvc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\locale\24dbde2999530e DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\schemas\AvailableNetwork\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\schemas\AvailableNetwork\spoolsv.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2880 schtasks.exe 2416 schtasks.exe 2672 schtasks.exe 1504 schtasks.exe 2684 schtasks.exe 2708 schtasks.exe 2616 schtasks.exe 2876 schtasks.exe 2592 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2316 DllCommonsvc.exe 2316 DllCommonsvc.exe 2316 DllCommonsvc.exe 1316 powershell.exe 1484 powershell.exe 1612 powershell.exe 1300 powershell.exe 3028 WmiPrvSE.exe 1048 WmiPrvSE.exe 1816 WmiPrvSE.exe 1520 WmiPrvSE.exe 2960 WmiPrvSE.exe 2684 WmiPrvSE.exe 2828 WmiPrvSE.exe 3060 WmiPrvSE.exe 2720 WmiPrvSE.exe 1152 WmiPrvSE.exe 2396 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2316 DllCommonsvc.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 1300 powershell.exe Token: SeDebugPrivilege 3028 WmiPrvSE.exe Token: SeDebugPrivilege 1048 WmiPrvSE.exe Token: SeDebugPrivilege 1816 WmiPrvSE.exe Token: SeDebugPrivilege 1520 WmiPrvSE.exe Token: SeDebugPrivilege 2960 WmiPrvSE.exe Token: SeDebugPrivilege 2684 WmiPrvSE.exe Token: SeDebugPrivilege 2828 WmiPrvSE.exe Token: SeDebugPrivilege 3060 WmiPrvSE.exe Token: SeDebugPrivilege 2720 WmiPrvSE.exe Token: SeDebugPrivilege 1152 WmiPrvSE.exe Token: SeDebugPrivilege 2396 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2052 2332 JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe 30 PID 2332 wrote to memory of 2052 2332 JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe 30 PID 2332 wrote to memory of 2052 2332 JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe 30 PID 2332 wrote to memory of 2052 2332 JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe 30 PID 2052 wrote to memory of 2328 2052 WScript.exe 32 PID 2052 wrote to memory of 2328 2052 WScript.exe 32 PID 2052 wrote to memory of 2328 2052 WScript.exe 32 PID 2052 wrote to memory of 2328 2052 WScript.exe 32 PID 2328 wrote to memory of 2316 2328 cmd.exe 34 PID 2328 wrote to memory of 2316 2328 cmd.exe 34 PID 2328 wrote to memory of 2316 2328 cmd.exe 34 PID 2328 wrote to memory of 2316 2328 cmd.exe 34 PID 2316 wrote to memory of 1484 2316 DllCommonsvc.exe 45 PID 2316 wrote to memory of 1484 2316 DllCommonsvc.exe 45 PID 2316 wrote to memory of 1484 2316 DllCommonsvc.exe 45 PID 2316 wrote to memory of 1316 2316 DllCommonsvc.exe 46 PID 2316 wrote to memory of 1316 2316 DllCommonsvc.exe 46 PID 2316 wrote to memory of 1316 2316 DllCommonsvc.exe 46 PID 2316 wrote to memory of 1300 2316 DllCommonsvc.exe 48 PID 2316 wrote to memory of 1300 2316 DllCommonsvc.exe 48 PID 2316 wrote to memory of 1300 2316 DllCommonsvc.exe 48 PID 2316 wrote to memory of 1612 2316 DllCommonsvc.exe 49 PID 2316 wrote to memory of 1612 2316 DllCommonsvc.exe 49 PID 2316 wrote to memory of 1612 2316 DllCommonsvc.exe 49 PID 2316 wrote to memory of 1536 2316 DllCommonsvc.exe 53 PID 2316 wrote to memory of 1536 2316 DllCommonsvc.exe 53 PID 2316 wrote to memory of 1536 2316 DllCommonsvc.exe 53 PID 1536 wrote to memory of 2260 1536 cmd.exe 55 PID 1536 wrote to memory of 2260 1536 cmd.exe 55 PID 1536 wrote to memory of 2260 1536 cmd.exe 55 PID 1536 wrote to memory of 3028 1536 cmd.exe 56 PID 1536 wrote to memory of 3028 1536 cmd.exe 56 PID 1536 wrote to memory of 3028 1536 cmd.exe 56 PID 3028 wrote to memory of 592 3028 WmiPrvSE.exe 57 PID 3028 wrote to memory of 592 3028 WmiPrvSE.exe 57 PID 3028 wrote to memory of 592 3028 WmiPrvSE.exe 57 PID 592 wrote to memory of 532 592 cmd.exe 59 PID 592 wrote to memory of 532 592 cmd.exe 59 PID 592 wrote to memory of 532 592 cmd.exe 59 PID 592 wrote to memory of 1048 592 cmd.exe 60 PID 592 wrote to memory of 1048 592 cmd.exe 60 PID 592 wrote to memory of 1048 592 cmd.exe 60 PID 1048 wrote to memory of 2224 1048 WmiPrvSE.exe 61 PID 1048 wrote to memory of 2224 1048 WmiPrvSE.exe 61 PID 1048 wrote to memory of 2224 1048 WmiPrvSE.exe 61 PID 2224 wrote to memory of 2416 2224 cmd.exe 63 PID 2224 wrote to memory of 2416 2224 cmd.exe 63 PID 2224 wrote to memory of 2416 2224 cmd.exe 63 PID 2224 wrote to memory of 1816 2224 cmd.exe 64 PID 2224 wrote to memory of 1816 2224 cmd.exe 64 PID 2224 wrote to memory of 1816 2224 cmd.exe 64 PID 1816 wrote to memory of 1344 1816 WmiPrvSE.exe 65 PID 1816 wrote to memory of 1344 1816 WmiPrvSE.exe 65 PID 1816 wrote to memory of 1344 1816 WmiPrvSE.exe 65 PID 1344 wrote to memory of 2904 1344 cmd.exe 67 PID 1344 wrote to memory of 2904 1344 cmd.exe 67 PID 1344 wrote to memory of 2904 1344 cmd.exe 67 PID 1344 wrote to memory of 1520 1344 cmd.exe 68 PID 1344 wrote to memory of 1520 1344 cmd.exe 68 PID 1344 wrote to memory of 1520 1344 cmd.exe 68 PID 1520 wrote to memory of 1792 1520 WmiPrvSE.exe 69 PID 1520 wrote to memory of 1792 1520 WmiPrvSE.exe 69 PID 1520 wrote to memory of 1792 1520 WmiPrvSE.exe 69 PID 1792 wrote to memory of 796 1792 cmd.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\AvailableNetwork\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zRgfBmnBop.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2260
-
-
C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:532
-
-
C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2416
-
-
C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2904
-
-
C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:796
-
-
C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"15⤵PID:2768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2952
-
-
C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"17⤵PID:2932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1324
-
-
C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat"19⤵PID:2092
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:564
-
-
C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"21⤵PID:1228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2704
-
-
C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat"23⤵PID:1820
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2300
-
-
C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat"25⤵PID:1716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:316
-
-
C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\locale\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\schemas\AvailableNetwork\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\schemas\AvailableNetwork\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59ccd48a2b35e634c2db201bcb2f7dcf3
SHA198730303e2a95b9699f4356bdb5cd08f2eabead5
SHA2567e6cc2315d90b96833344d341cf06d4c1d404a243c3fd437d8a3ead3071d7b60
SHA51203b49206f3fc7a7154c75f9be513f3266af671896851e91ad8b16c366f5f5d019e694ae7dcea05b7c29e968cca67cb42a5103ba79d681445a4ae28ac14cb5d67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d411d3cfaf4ac7066f6d445b5df81981
SHA109a1db6407831d8bfbd4f20659b73eed06affb64
SHA25679ce59024ff90b0cc59d1e0c3776c81bca31d9047eb2823b1d690bc040c9a47e
SHA512a34d77649a548565ea618bbd68817a20261dcd76b0f1750334d3b5afe4cb083cb83dc45abedf261f1955506e11c98e7ba5545c6ee6d06103ceab8a47327840dc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a796e19b2f64c9d41f1422102318f859
SHA16c101c5cabd16eb5f7517770ab3d1ee748f1aed2
SHA2563671b2ef04259fa86d24af51d9e3170d83dadfb4510a8a35b30f8143ee938839
SHA5128850b602b78386b9ca7df6ce398a6f7b517ed87578199bea175500c1e8d7febd99b0e4e9c6076a25dddbbb9a70700c0b23a142e92672f048392d43dd3160586c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5924ff3debb596042d2d126272104d515
SHA1f5448953d2208ea3a7757bd7e94933ea42e100e5
SHA256c052ef7f290854b74b36a01e1bdbdee2a9d848e733323afc6885cebd6b8df41b
SHA51235f60e859119034aed7ee00fc129f509b2cea901ae7d9919baea5d30e61b8035fb1e5459d679f60fe64586a680fff883918467b3219c652f55793d4d2abfeb73
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52b279cd1a4607c3b2ca80d5e4f8e7f29
SHA19680ea1a8d54ef24e809d6aba98638c1b9d081bd
SHA2567b214fdc48d9bec5016a011124d015a16877df4da02965f65920e71304cdcf45
SHA51209fdd71d4ada0fae227173451de0aee1c07f4df5a44317d73e3005d895dd748c185b2abc91bad1ea8cbc81fd8320d45f23f007e60bebaa6dd5bf31f78b284409
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ad02131e68d2b89b5e2fdc4bf0c60a75
SHA1444e953b117a5dbae5fe1f79f1c27708dab4b459
SHA256badeee9ee711ae551289050ab6249eb01c99afaaa37dbbae9881584deea04a3a
SHA512afab5a034f1d3703f5b63a8c8f7fdbb3ee519b4d734cb484f7b2eae460e6794169430fb89db5aec69537704bdca16d4f98909828b9c0ee8a8e7cd58c6a4700d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5da57511a89272d123e3dc5a6e46d8304
SHA18aa6b93414a805b174688ad9157d02f86ee6db9a
SHA256aae72223386426321da4b5bbe28329e0b74ad0239723e17a47bb384b5089dc34
SHA512b4bc389489aec9635aadeec6f0c1847d388794a04c4e4b3a808c2fef6ff76c43b08679206cadb421cb70b2a48856ecfbcb9a09c66734fb927e21961489e1cdc7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f609cd1a6d48a456158d7dc3a785e77b
SHA17360c1de7559720d48cbb171f9b7e6c4f764a2cf
SHA256a584b864cbb8440810273a43da2af23fe4181d1952fea3a73bff6bf08b37d63c
SHA5121368b49b2f1365922f2f0a6b934f91468f9037cfa380d581dbd7f8de62e3cf37c7169b6846326530f7c6ca9be8facfb11b93bdf4dd3d103b4bd984cbf77863c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5540a2212a670df63c749a1c1f0539839
SHA19f81a3e833f8cfead4c6e7f8611645f9f80125f8
SHA2568df00d8401b5f191e32a3f81ec47748b09c9005d8c4e98e2a2a5ebf8d99339ea
SHA51226831958ab8ca1cb8729a4d2242458d4e0f94900719a566fc6e837b8a75880c5059084af8a4d124f9d98c9f423430bb83077ad300e70b12d532fdb697d7d1d34
-
Filesize
214B
MD523cd58e41b57ca7c0af0388a4305a519
SHA1b7409f29f3195b631596d60791e25d330c9e006c
SHA2565a0e76de13b5b0753aab0fa69babc161db14f35f52a64d9b6c9fe386de80a7ec
SHA512037ee075477c0822b707b5ac0fed411d4d1441f600882e18fde1a6298fb4021f884e08648db9a59a65155285ef22f75acb0f5a6e32bdd31388aff6824f0576b1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
214B
MD5b7e793e1ab38f577c8ba85d5972140aa
SHA1a14ffba49175fb754ca7f148ffeea0c6cfd4a9d1
SHA256a271590616ab109cf18deeb1f6637518b1c22d40f3600a5e9b0722f77bee454b
SHA51237e448bb42fe50b7891a7b4a66878dff4ec4fd02c8ce6cfa2f8bd401e3f0aead493843245c212614d02935fc8c956a4b4d19c0f63427ba42734941bb2a7c662c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
214B
MD5836cee391a26232536dd47b88acbe77e
SHA1fb5f94a9e91d375eab2eda9e542c3b42a960a0f3
SHA256748cd1c2f62c6ddb0eb00cd2ca0b43bb6f4511c12a8e2a3e48388bca80d7ab2c
SHA512026d8c1d958bf8dc3ec292237594303787afaa20fae7909f55ba2927fa6b6cc2c49f0252c388df18e5a45d3a06b3ffc0dfc3972eb51a05874103911424033c58
-
Filesize
214B
MD5367a7ecaa0fff3e2c85c95928dfeebfd
SHA114f1e1e5f5cd2fb1440d3f62fed0b3208ba385a2
SHA256b3bffd92212eadd1ae4f1af27e68fe470468c214ba281e39de58ef070992b5ac
SHA512850b2e0ba596fde486b12919e6d374fada6d41ef76261064128ebfe2606b4a01caa1582410472e26fc08d9314b4a0a373a7bcfd26873f3ed7fd204c9f86ba344
-
Filesize
214B
MD5c5346903e1c4665fe06ae873713083b1
SHA125d8714b89f72dd1d50bd37c7f10c2c3a2843819
SHA2569564201263fcb0de7b479224b4b8096610419ae1b62f754d0f3bd88ba0038b30
SHA51221408b4e833ea9a8c258dd0a812605b2d3d33e6c93fe09a22096fe6e5a066965406d21ab08b23cf6d2968ee33e2e61efb752a3220427dbcc8056c178dea8ca83
-
Filesize
214B
MD55e7068a4dac292c2df88dc68cdc3bc7f
SHA187e8b6c679dec8558f0a5b5ea012a22f26b7133b
SHA2561196773d760e412ebc878e9803e1a033132f7b7ea223e376e4229f9ddd43dcc8
SHA512da211e8b15169af0889e4030eb6bb338617cb7f1cc49c47974542a96e51fc2fd4a9d5e71a3ace6094b06f13473cd45002c4bbbcd423e3c7b0cb7419560623a35
-
Filesize
214B
MD5379d4b0e03ea6b4e5019b98be30e1a47
SHA1287a56acee6c3c3536c2cf577526ae03f41a14b7
SHA256246ebc1cd5ecabe4e03f38a17769ee110425a5e9fb9893655cca91957d350834
SHA5124026d4d0182a604c3fd5da903d33e54c5c28a21e84292b2fd9f7568f39499144bc5b40e268c6b56c1ba8073f21f110b09b8f62547f5131dd7ac627d09f258d9d
-
Filesize
214B
MD5fabc1a2c6b7a4b03455917587267c177
SHA1138b2c00dea0bbce2ad32b0b5dac138966443c88
SHA2563ef50d37031ec6e10b5b7dece6dd02a95ba6959434eef7df61c1479a6442555d
SHA512ac9b693bf26660e0dc8f611231954ad2f1f650827811bf96a067de74ce4e4b0b16f17fb5463c4b2236f77470772484fd256832b88bddf09f936ffca8a8f89636
-
Filesize
214B
MD586342d63807c2a365bcadc59120cb405
SHA19c898d76092431a2bcefd057d5746f10036aac5b
SHA256bd509ddcfbc099f1dea43db93a141da323d27e47fef9a05d78da84f1f9f48304
SHA512c42b6b4ac16290cb8a99f1ffa0f4caa9322eb29a9ad00cda6d767bbc122fb77f35453c4033d45ef99e95cdd5490e4ba8f86606545404ea0b5225ff799fda2eef
-
Filesize
214B
MD568e78c6ed2fafecda2621fbcca27c91b
SHA12d9ac21e6bf08891737314400495bf1ac6b9590a
SHA2560fb302c6cc21950724d502ab6dc214941f16ad5dfb9390ffd996c829081de1c9
SHA51224ef21922de56445851baf8f7fe1cca3cdb9ff07c643dc6fb6fd1829b7efd08cc21d9869c9cef8aa0b1661aefc1c64ed9587c6c435691466fe6261acd9db423b
-
Filesize
214B
MD54e2ecac381a9a286be2ec93c2cd2c2f0
SHA1482790cd2f28389217bb3118c07eb48a888bf725
SHA256b36530cd64e5fb5117cad18c864f9914eefba2544a50b42910bfa75b37819ad0
SHA5123de394ee7ed617a206c53e15f3b197ed9c0e8d0b24f23509d6afbb293cf355e587a3fdf7baa9f47bd3340034ee719989c71bd27f8ac6f525d2531f49e2a217d7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5U5T3Y0T3P11EMRA38B6.temp
Filesize7KB
MD5131e2c6238329e708f58133b1e273fdd
SHA114f5fcd0399639b1bf4ba6e61b45c0ba615fff7b
SHA2560e9aac498b870870efa9248abbdacbad56fefcb4fed7f545d27bd719be3b2efc
SHA5123f3d3bd840bfb647af2019d1e752241fd2c3da6ce2842ca795ebc039fea9bf642142a6591dac718c4ed66aecbeb3c816089b789ed408fbf194e5e782eda27947
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478