Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 23:25
Behavioral task
behavioral1
Sample
JaffaCakes118_cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d.exe
-
Size
1.3MB
-
MD5
70885b3ec9d0f96c662c82849631c434
-
SHA1
1844199f7a28f059977c5c4c16ee7d50c494af73
-
SHA256
cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d
-
SHA512
8e437fb4e2cf8f3a1fdb8755642fbb397f7702a5decdd8ef669031c5aa057d5de16999e99290afea6f4ab1cffeaf7928a53853166e22e568f3adb1ebdf1fa6af
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2928 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2928 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016ca2-9.dat dcrat behavioral1/memory/2736-13-0x00000000003A0000-0x00000000004B0000-memory.dmp dcrat behavioral1/memory/2140-34-0x0000000000EC0000-0x0000000000FD0000-memory.dmp dcrat behavioral1/memory/1624-122-0x00000000010B0000-0x00000000011C0000-memory.dmp dcrat behavioral1/memory/1992-182-0x0000000000200000-0x0000000000310000-memory.dmp dcrat behavioral1/memory/3020-242-0x0000000000040000-0x0000000000150000-memory.dmp dcrat behavioral1/memory/588-302-0x00000000000E0000-0x00000000001F0000-memory.dmp dcrat behavioral1/memory/1700-421-0x00000000002B0000-0x00000000003C0000-memory.dmp dcrat behavioral1/memory/1604-482-0x0000000000CF0000-0x0000000000E00000-memory.dmp dcrat behavioral1/memory/2292-601-0x0000000000FD0000-0x00000000010E0000-memory.dmp dcrat behavioral1/memory/1620-720-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2972 powershell.exe 2992 powershell.exe 1960 powershell.exe 1928 powershell.exe 3028 powershell.exe 3004 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2736 DllCommonsvc.exe 2140 Idle.exe 1624 Idle.exe 1992 Idle.exe 3020 Idle.exe 588 Idle.exe 1608 Idle.exe 1700 Idle.exe 1604 Idle.exe 2340 Idle.exe 2292 Idle.exe 2284 Idle.exe 1620 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 2376 cmd.exe 2376 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 36 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 33 raw.githubusercontent.com 40 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 16 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\Gadgets\explorer.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\explorer.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\Gadgets\7a0fd90576e088 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3016 schtasks.exe 2960 schtasks.exe 2776 schtasks.exe 2340 schtasks.exe 1780 schtasks.exe 2836 schtasks.exe 2708 schtasks.exe 2612 schtasks.exe 2328 schtasks.exe 2652 schtasks.exe 2676 schtasks.exe 1984 schtasks.exe 2908 schtasks.exe 2624 schtasks.exe 804 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2736 DllCommonsvc.exe 2972 powershell.exe 3004 powershell.exe 1928 powershell.exe 1960 powershell.exe 3028 powershell.exe 2992 powershell.exe 2140 Idle.exe 1624 Idle.exe 1992 Idle.exe 3020 Idle.exe 588 Idle.exe 1608 Idle.exe 1700 Idle.exe 1604 Idle.exe 2340 Idle.exe 2292 Idle.exe 2284 Idle.exe 1620 Idle.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2736 DllCommonsvc.exe Token: SeDebugPrivilege 2140 Idle.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 1624 Idle.exe Token: SeDebugPrivilege 1992 Idle.exe Token: SeDebugPrivilege 3020 Idle.exe Token: SeDebugPrivilege 588 Idle.exe Token: SeDebugPrivilege 1608 Idle.exe Token: SeDebugPrivilege 1700 Idle.exe Token: SeDebugPrivilege 1604 Idle.exe Token: SeDebugPrivilege 2340 Idle.exe Token: SeDebugPrivilege 2292 Idle.exe Token: SeDebugPrivilege 2284 Idle.exe Token: SeDebugPrivilege 1620 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1740 wrote to memory of 1624 1740 JaffaCakes118_cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d.exe 30 PID 1740 wrote to memory of 1624 1740 JaffaCakes118_cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d.exe 30 PID 1740 wrote to memory of 1624 1740 JaffaCakes118_cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d.exe 30 PID 1740 wrote to memory of 1624 1740 JaffaCakes118_cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d.exe 30 PID 1624 wrote to memory of 2376 1624 WScript.exe 31 PID 1624 wrote to memory of 2376 1624 WScript.exe 31 PID 1624 wrote to memory of 2376 1624 WScript.exe 31 PID 1624 wrote to memory of 2376 1624 WScript.exe 31 PID 2376 wrote to memory of 2736 2376 cmd.exe 33 PID 2376 wrote to memory of 2736 2376 cmd.exe 33 PID 2376 wrote to memory of 2736 2376 cmd.exe 33 PID 2376 wrote to memory of 2736 2376 cmd.exe 33 PID 2736 wrote to memory of 2972 2736 DllCommonsvc.exe 50 PID 2736 wrote to memory of 2972 2736 DllCommonsvc.exe 50 PID 2736 wrote to memory of 2972 2736 DllCommonsvc.exe 50 PID 2736 wrote to memory of 2992 2736 DllCommonsvc.exe 51 PID 2736 wrote to memory of 2992 2736 DllCommonsvc.exe 51 PID 2736 wrote to memory of 2992 2736 DllCommonsvc.exe 51 PID 2736 wrote to memory of 3004 2736 DllCommonsvc.exe 52 PID 2736 wrote to memory of 3004 2736 DllCommonsvc.exe 52 PID 2736 wrote to memory of 3004 2736 DllCommonsvc.exe 52 PID 2736 wrote to memory of 3028 2736 DllCommonsvc.exe 53 PID 2736 wrote to memory of 3028 2736 DllCommonsvc.exe 53 PID 2736 wrote to memory of 3028 2736 DllCommonsvc.exe 53 PID 2736 wrote to memory of 1960 2736 DllCommonsvc.exe 55 PID 2736 wrote to memory of 1960 2736 DllCommonsvc.exe 55 PID 2736 wrote to memory of 1960 2736 DllCommonsvc.exe 55 PID 2736 wrote to memory of 1928 2736 DllCommonsvc.exe 57 PID 2736 wrote to memory of 1928 2736 DllCommonsvc.exe 57 PID 2736 wrote to memory of 1928 2736 DllCommonsvc.exe 57 PID 2736 wrote to memory of 2140 2736 DllCommonsvc.exe 62 PID 2736 wrote to memory of 2140 2736 DllCommonsvc.exe 62 PID 2736 wrote to memory of 2140 2736 DllCommonsvc.exe 62 PID 2140 wrote to memory of 1716 2140 Idle.exe 63 PID 2140 wrote to memory of 1716 2140 Idle.exe 63 PID 2140 wrote to memory of 1716 2140 Idle.exe 63 PID 1716 wrote to memory of 1936 1716 cmd.exe 65 PID 1716 wrote to memory of 1936 1716 cmd.exe 65 PID 1716 wrote to memory of 1936 1716 cmd.exe 65 PID 1716 wrote to memory of 1624 1716 cmd.exe 67 PID 1716 wrote to memory of 1624 1716 cmd.exe 67 PID 1716 wrote to memory of 1624 1716 cmd.exe 67 PID 1624 wrote to memory of 2948 1624 Idle.exe 68 PID 1624 wrote to memory of 2948 1624 Idle.exe 68 PID 1624 wrote to memory of 2948 1624 Idle.exe 68 PID 2948 wrote to memory of 2072 2948 cmd.exe 70 PID 2948 wrote to memory of 2072 2948 cmd.exe 70 PID 2948 wrote to memory of 2072 2948 cmd.exe 70 PID 2948 wrote to memory of 1992 2948 cmd.exe 71 PID 2948 wrote to memory of 1992 2948 cmd.exe 71 PID 2948 wrote to memory of 1992 2948 cmd.exe 71 PID 1992 wrote to memory of 320 1992 Idle.exe 72 PID 1992 wrote to memory of 320 1992 Idle.exe 72 PID 1992 wrote to memory of 320 1992 Idle.exe 72 PID 320 wrote to memory of 996 320 cmd.exe 74 PID 320 wrote to memory of 996 320 cmd.exe 74 PID 320 wrote to memory of 996 320 cmd.exe 74 PID 320 wrote to memory of 3020 320 cmd.exe 75 PID 320 wrote to memory of 3020 320 cmd.exe 75 PID 320 wrote to memory of 3020 320 cmd.exe 75 PID 3020 wrote to memory of 2428 3020 Idle.exe 76 PID 3020 wrote to memory of 2428 3020 Idle.exe 76 PID 3020 wrote to memory of 2428 3020 Idle.exe 76 PID 2428 wrote to memory of 1344 2428 cmd.exe 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1936
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2072
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:996
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1344
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"14⤵PID:2364
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2624
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"16⤵PID:1540
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1676
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat"18⤵PID:2380
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2016
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"20⤵PID:1272
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1780
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"22⤵PID:2268
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2552
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"24⤵PID:2960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:928
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"26⤵PID:1168
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1140
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5355b76d408c0cefb4ddfa9c59fb71b97
SHA159e05e53c0ebd632c733b946e08bb722b4c811d6
SHA2566b2e50e9ff6e692d8e384ec0b4e5aa7980714712ee5e64d7b8acfd5005727362
SHA5129dbe10b17834a7fc28cd91df8af8cc708a6a31d7083b1dee3eae9f61f3635012ab572120f14787cadbb8f4b4607d6af9e0456d27e60f885f4c6ef168146a77d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5041da31690c7f964180e40490d2d4075
SHA12f8c3c1641fc9d993c22bff35a692bc43d4c6aa4
SHA256b78e97cab9f77e61cff0170fbdc81b820ca1f5f9c39954aa6defc86048bb9739
SHA512d8c5de4daaa3710f947c6d1cdc0611fb39d06b84d50b9654358d240a40ce448f8728e714fb5f3e30118059bae56cca4bbe059d39a372cd46ec5fabf885b47b26
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b32363e5bcdf2f21fd1126b778fcd627
SHA12356d8629c2d30df98d6fb5c41ee81740af1cdd1
SHA256fbc894ef75dd706bf5eccfb3ca6bd3287dd021e054efb97f9d19277970e28582
SHA512c0bc2896c350a45b1e4a11100549e8ffe71d5dde3492db49df78dd478f99b75b4d4b367e913ef0fbfbaa4bcdb5365634fb18b11f9e0dec13b2e6c52f0c7b84eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e94c0669e2bf59f92c6d2046ccbc883d
SHA1d33085735e4861c707a606d3e4f735a009b086de
SHA25616b2558684e7d57862396ee2a9c9d4bb2032502604efdbf58ff89ad7cc41b108
SHA512356c67ce7d0b7f50d51f4ba5f1d080423e2688552d2460a7502ab2a08dc4eb7ac39cca3cc5ea7540ad4a304882c69ddee37b2771cfbb2997073f348454ad497d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c7230ccd419c289013f0c4d773a65008
SHA137ec0a7e03ed6fd84a826b72de0b5b56ff9e4503
SHA25619a536807d2ec2425a5a80163f6fbcfc497640ac47458cd3830cb120f05c7417
SHA512fb554804a786440ab4a842f9452f6f91a712f64a0788dd7e8626b33dee72c0d3a7a42f220aea84aa232475af81b94aabe2aa01558a3f4a06a8516773806c398e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50242b198ac257fd1aed7d24e16449c60
SHA1bf742c0ce160e819feb437fd74a54f1ad8c89517
SHA25602676be7f488843e35c6e40031f255ff3cd05ca5316fbf456a24c1f344aca1ea
SHA512ad070268d397e83ae71d0773edf2542ae9bc9794350e96d9dc251b48dd85396c805cfb67febd7fadce239ae3608f8a92d0a2119d80f6631654e49f37cfded37c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD517a62ee33b82606140f7cc2783b054b8
SHA15900ede530ae51742783ebd91a2b626430ac2af3
SHA2565bdbe6e9884f474afc089138c6a8eb1c02fa047d3792408759c8e0bb41af493f
SHA51289f814fac8f87f914ab1a42eaa8ea4785ff02da70f277ee980f58034750b78ca90b24cd630b1f9dc7d449b278a93257b9e19ded565dbf8164a36b69d02f6a7ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b5761c24cfa2d9bbb0c1cb9b8296b6f7
SHA144d79f4832ba06de005058b1367e7b1be28b21b7
SHA25695df9a625496fe7bf6771c4db24b8421027ae0ea9990342fd11a749435bed000
SHA51207bb54916b72c0a46c8e5583c4269bba13558a81d5f05f046f8a471f69d55592385acd33e158e33d50987c79af71ab240b427b4ca4fd51fd2c7ee9892b9f16e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5af8976c6510bd9e3dfe122806e8f674f
SHA13198c0347ded5903cf86ca7c660ebb8d9df25c7e
SHA256a980fe83dcad5f7ce810d47eab46c47636176944dba147f2c0bfed1ac6ddaf69
SHA51246a4bc874bde26d1ea4b43014abdde02cfa52d605409bbe115904d2d4ffa8eb456872fa6573cbac1a3feaceaa71a8270442fdd5f372c34628b55b9f742766de1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f3c4e602d0af377bfdea8a5036379735
SHA1647d457478764d5370afd9c9c3a1026174faab93
SHA256aa5b38fa6fcdac1eb5bcb743a5909c7df02cbae8858c567c9c98bd55d61bd4ab
SHA512aa60c280b4a6864ed09a4ce94deb80fd3c1b0026e24fd5af87d21f9ad93a24b69905e3a9310b8ccafad9e33b01cfb67859bd61f1bd3c20918d6b2e1bd142d60e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
191B
MD551a6a54a3529381ba4ed3a95c9c3138d
SHA19bce03420149bc0b271e0a6f259299ed08d94a5a
SHA256fbb61b2773b07a2dc582cb2db5c7309759ad8159352324ebf601632604127de6
SHA512cf43f2a3e57b419fd26e154df9ef8699456d21f64ab6efc4afd4d26723718621bb4df54d0100db64354649f0292b65b5157aa538abf5fb3424ad3bd244ba62b9
-
Filesize
191B
MD5878d979c1ec0c1c3cd9feb5393429b0a
SHA11b8a345f54c7f29ea11649edbaee3b4831b9eed2
SHA2563b6b5aab1edcce1d48096904956213b699005d1a2026f179fce814fea0e6fe9a
SHA512f8f94fbe331d96b942277150ee3cc3dfa108e8669c3488862c1cc69570a45f6506338e11df8357aa153faab0856cc86674fb840b9383c9dc054e24e50f14f058
-
Filesize
191B
MD544a7549a9ec3712acc2887f44dfbda70
SHA111426bd140625e0c20a9f1d01a40d355d2f8df53
SHA2564ef15e67088c79fa4a1e384df63fad1688f27950b309ff1269e949d2a6fe07dc
SHA51288b430423482b8e21f4d18afb5c0a16b4158a6235e6ea715e1a2014484fd4106641a1957ef666298f34bfac41ea7fba10a32c8f8f6275b58623135abe41e5160
-
Filesize
191B
MD5c52abc88a9bb57ffa61555ba8eefc16a
SHA1877c9657e7247276a2d1e72a94b1d194e2868329
SHA256b12b69b04163ad0b26e3c47322be6c355f0687eaa2c418da3b8205daa26fd442
SHA5122dfa5ed182c8bafa85732bd5adf5f64f166fe8e5492aa5f501e0134da347ef870784af103b048d4602945b7cf1fe3050a09b8599cf266c4f16bf97ab31c09606
-
Filesize
191B
MD5423f9bb753ccec627afc8a8676b2ea8f
SHA16bcf735fc94c299b614815ac9e6eb696adee7edd
SHA2565547ddafbac563db596b20d5734957d5f623f3f28762707041b00f75581b1764
SHA5126eddb8b12dcdb4c7ac4b948c07e713df0c19874e54a78f6b7c3a3b073a3628825680e03ffa0bc70754ea53c76236f46c056e4907a1436e5278fc83640fe40a38
-
Filesize
191B
MD5334d9c8644518317283e772286c2b2e0
SHA1367c57fcf5d418de75190af743a5ad9b3a25d24c
SHA25668f50956142b5cdf6a1b76b719728830aee6a127f498196c169f7ae647e05daf
SHA512648b2191b957974bd43a7f9f122545cf8981ed3a958d8ebca97f6a6b4064f155a586486ee729d52998a6f47a90c374ac35e9b84a388fd0c2202e95d95a753b30
-
Filesize
191B
MD56f31a78eee2dc8f8f328be8323f4f79e
SHA1b32c316572a044b772f532007274ada7726eda1d
SHA256ebed92f877f85d00704f916a50532a0d3a76c2097dc8d6ef354a93020d2f84f9
SHA512437b30c59dcaf2f73f2f8517a9f03d79dfe2c254a34d4bf68ca2cdcb78f542d9a8937aed477c28fab6cccbe663c25e31e0223019d1c7279caee89f2b62fc0336
-
Filesize
191B
MD559ee857d21c000bacc71d382deff4522
SHA153147392298beae58dcdc16068d2f219966cf9c9
SHA2560bd756fea8b32522c970819618e2d00cabff1c92fad692f7251fdf36a0b7de4c
SHA512cd8ef70f0e2943d01e9d932b6b0b48502b77b06a0cf4847442df1b9010c510228e1c7d899eaf5959710db6379e1385bfbd979a6b00babd1e4edc0fad39e5411e
-
Filesize
191B
MD526ab1fe61e87b50008e0516766f17744
SHA1743ce1c9ae6abdd2e10a1a8bda46bf4a6c7b3c7b
SHA2566c5888f24324d6eefc1244d2615b9969fd433c6f8ef735bcb6c0035362b934bf
SHA5125930aa93f7d16b294d0466e9c86ec9cffe37c00fab52693ccfdb789513109e4a2d822383bdc0b79b88ea112ef4afc9fc7f0195047750352a14857a57c0f967a3
-
Filesize
191B
MD56f098c1a58b2ff5a2a872915f177f15b
SHA1fd9b04f9ec9252d7b6d86c778c71a384596401ab
SHA2561523a674e83f7bb64eafd9307c0fcef930975a203fa74689bb62c6493c72e605
SHA512ed905eebe8ad19d729d15836b67bd7aaf72f10ecfd8c5877f14fa52bf19733b34674af43f758fd3457aeda0bb2d9f76d0d4bed56bba9b3fdb09380c5a6b79a55
-
Filesize
191B
MD54d667e0f938dfbbc24c9cc5ca1ff8332
SHA168bd4390f94af1b7270fb735be68e9b445b5a387
SHA256a31cf047b334ccc96cf38e4249dcacbc51b3ece72f4c2156fc9f901308972658
SHA512da4aa7c699cb6e5d45c78b386ab136f9cd33bb8978f93e3b1138069e54c89212564fecf9035eeefda81525718aff80b13961f8b6fd6e5a1b22ece00ebbb95e0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55bb6c3e6b34ce0643fe0b75b198543d6
SHA1155b50870496372a0555dad20252b976c2c3479d
SHA256c23655683eb505d5e850df90c7ed6f8f1cda2d05dcb36e6223886e2d9d83e56c
SHA51275492bb68661baa43a8257b467ad7d61552280fccf85dd8bf540099d12613486684bc043a04d2579602ff4e3f48c822db3c78f8006f61f2f86b4512e76323989
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394