Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 23:31
Behavioral task
behavioral1
Sample
JaffaCakes118_deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5.exe
-
Size
1.3MB
-
MD5
3b38854c884bcd21a33c191ca861ef5b
-
SHA1
ce9e05479f0c5ddbc6afd3b90d384bab5a677545
-
SHA256
deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5
-
SHA512
73ce9436ee90fbb79ec76d20cd54b4db22b9578796baada1645bcaf591071a0d65c4ed497b46f4d8346124c035c3e8edc44538f36e7375052d0bd82345bd45b9
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2636 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00070000000193d0-9.dat dcrat behavioral1/memory/1012-13-0x0000000000A00000-0x0000000000B10000-memory.dmp dcrat behavioral1/memory/1684-61-0x00000000009D0000-0x0000000000AE0000-memory.dmp dcrat behavioral1/memory/2888-131-0x0000000000370000-0x0000000000480000-memory.dmp dcrat behavioral1/memory/2280-192-0x00000000009E0000-0x0000000000AF0000-memory.dmp dcrat behavioral1/memory/292-253-0x0000000000120000-0x0000000000230000-memory.dmp dcrat behavioral1/memory/1620-313-0x0000000000200000-0x0000000000310000-memory.dmp dcrat behavioral1/memory/1748-373-0x0000000000B70000-0x0000000000C80000-memory.dmp dcrat behavioral1/memory/1520-493-0x00000000011B0000-0x00000000012C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2144 powershell.exe 2556 powershell.exe 2064 powershell.exe 1376 powershell.exe 1744 powershell.exe 1696 powershell.exe 2960 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 1012 DllCommonsvc.exe 1684 audiodg.exe 2888 audiodg.exe 2280 audiodg.exe 292 audiodg.exe 1620 audiodg.exe 1748 audiodg.exe 2040 audiodg.exe 1520 audiodg.exe 1052 audiodg.exe 1532 audiodg.exe 2828 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2832 cmd.exe 2832 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 30 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com 5 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 26 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Windows Journal\it-IT\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\fr-FR\smss.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\fr-FR\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\Windows Journal\it-IT\taskhost.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Journal\it-IT\taskhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1216 schtasks.exe 2040 schtasks.exe 772 schtasks.exe 2612 schtasks.exe 1852 schtasks.exe 2108 schtasks.exe 1148 schtasks.exe 2764 schtasks.exe 1756 schtasks.exe 1720 schtasks.exe 1560 schtasks.exe 2104 schtasks.exe 2820 schtasks.exe 1996 schtasks.exe 1880 schtasks.exe 532 schtasks.exe 1584 schtasks.exe 2208 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 1012 DllCommonsvc.exe 2960 powershell.exe 2144 powershell.exe 1744 powershell.exe 1376 powershell.exe 2064 powershell.exe 1696 powershell.exe 2556 powershell.exe 1684 audiodg.exe 2888 audiodg.exe 2280 audiodg.exe 292 audiodg.exe 1620 audiodg.exe 1748 audiodg.exe 2040 audiodg.exe 1520 audiodg.exe 1052 audiodg.exe 1532 audiodg.exe 2828 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 1012 DllCommonsvc.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 1684 audiodg.exe Token: SeDebugPrivilege 2888 audiodg.exe Token: SeDebugPrivilege 2280 audiodg.exe Token: SeDebugPrivilege 292 audiodg.exe Token: SeDebugPrivilege 1620 audiodg.exe Token: SeDebugPrivilege 1748 audiodg.exe Token: SeDebugPrivilege 2040 audiodg.exe Token: SeDebugPrivilege 1520 audiodg.exe Token: SeDebugPrivilege 1052 audiodg.exe Token: SeDebugPrivilege 1532 audiodg.exe Token: SeDebugPrivilege 2828 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2940 2684 JaffaCakes118_deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5.exe 30 PID 2684 wrote to memory of 2940 2684 JaffaCakes118_deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5.exe 30 PID 2684 wrote to memory of 2940 2684 JaffaCakes118_deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5.exe 30 PID 2684 wrote to memory of 2940 2684 JaffaCakes118_deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5.exe 30 PID 2940 wrote to memory of 2832 2940 WScript.exe 31 PID 2940 wrote to memory of 2832 2940 WScript.exe 31 PID 2940 wrote to memory of 2832 2940 WScript.exe 31 PID 2940 wrote to memory of 2832 2940 WScript.exe 31 PID 2832 wrote to memory of 1012 2832 cmd.exe 33 PID 2832 wrote to memory of 1012 2832 cmd.exe 33 PID 2832 wrote to memory of 1012 2832 cmd.exe 33 PID 2832 wrote to memory of 1012 2832 cmd.exe 33 PID 1012 wrote to memory of 2064 1012 DllCommonsvc.exe 53 PID 1012 wrote to memory of 2064 1012 DllCommonsvc.exe 53 PID 1012 wrote to memory of 2064 1012 DllCommonsvc.exe 53 PID 1012 wrote to memory of 1376 1012 DllCommonsvc.exe 54 PID 1012 wrote to memory of 1376 1012 DllCommonsvc.exe 54 PID 1012 wrote to memory of 1376 1012 DllCommonsvc.exe 54 PID 1012 wrote to memory of 1744 1012 DllCommonsvc.exe 56 PID 1012 wrote to memory of 1744 1012 DllCommonsvc.exe 56 PID 1012 wrote to memory of 1744 1012 DllCommonsvc.exe 56 PID 1012 wrote to memory of 1696 1012 DllCommonsvc.exe 58 PID 1012 wrote to memory of 1696 1012 DllCommonsvc.exe 58 PID 1012 wrote to memory of 1696 1012 DllCommonsvc.exe 58 PID 1012 wrote to memory of 2960 1012 DllCommonsvc.exe 60 PID 1012 wrote to memory of 2960 1012 DllCommonsvc.exe 60 PID 1012 wrote to memory of 2960 1012 DllCommonsvc.exe 60 PID 1012 wrote to memory of 2556 1012 DllCommonsvc.exe 61 PID 1012 wrote to memory of 2556 1012 DllCommonsvc.exe 61 PID 1012 wrote to memory of 2556 1012 DllCommonsvc.exe 61 PID 1012 wrote to memory of 2144 1012 DllCommonsvc.exe 63 PID 1012 wrote to memory of 2144 1012 DllCommonsvc.exe 63 PID 1012 wrote to memory of 2144 1012 DllCommonsvc.exe 63 PID 1012 wrote to memory of 1684 1012 DllCommonsvc.exe 67 PID 1012 wrote to memory of 1684 1012 DllCommonsvc.exe 67 PID 1012 wrote to memory of 1684 1012 DllCommonsvc.exe 67 PID 1684 wrote to memory of 1108 1684 audiodg.exe 68 PID 1684 wrote to memory of 1108 1684 audiodg.exe 68 PID 1684 wrote to memory of 1108 1684 audiodg.exe 68 PID 1108 wrote to memory of 2148 1108 cmd.exe 70 PID 1108 wrote to memory of 2148 1108 cmd.exe 70 PID 1108 wrote to memory of 2148 1108 cmd.exe 70 PID 1108 wrote to memory of 2888 1108 cmd.exe 71 PID 1108 wrote to memory of 2888 1108 cmd.exe 71 PID 1108 wrote to memory of 2888 1108 cmd.exe 71 PID 2888 wrote to memory of 876 2888 audiodg.exe 73 PID 2888 wrote to memory of 876 2888 audiodg.exe 73 PID 2888 wrote to memory of 876 2888 audiodg.exe 73 PID 876 wrote to memory of 2688 876 cmd.exe 75 PID 876 wrote to memory of 2688 876 cmd.exe 75 PID 876 wrote to memory of 2688 876 cmd.exe 75 PID 876 wrote to memory of 2280 876 cmd.exe 76 PID 876 wrote to memory of 2280 876 cmd.exe 76 PID 876 wrote to memory of 2280 876 cmd.exe 76 PID 2280 wrote to memory of 552 2280 audiodg.exe 77 PID 2280 wrote to memory of 552 2280 audiodg.exe 77 PID 2280 wrote to memory of 552 2280 audiodg.exe 77 PID 552 wrote to memory of 688 552 cmd.exe 79 PID 552 wrote to memory of 688 552 cmd.exe 79 PID 552 wrote to memory of 688 552 cmd.exe 79 PID 552 wrote to memory of 292 552 cmd.exe 80 PID 552 wrote to memory of 292 552 cmd.exe 80 PID 552 wrote to memory of 292 552 cmd.exe 80 PID 292 wrote to memory of 2364 292 audiodg.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\fr-FR\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2148
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2688
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:688
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"12⤵PID:2364
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2468
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"14⤵PID:912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1580
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"16⤵PID:1860
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1000
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat"18⤵PID:1448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2100
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"20⤵PID:2156
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2076
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat"22⤵PID:2240
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1656
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"24⤵PID:2804
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2708
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\it-IT\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\it-IT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\fr-FR\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
Network
-
Remote address:8.8.8.8:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN A185.199.108.133raw.githubusercontent.comIN A185.199.111.133raw.githubusercontent.comIN A185.199.110.133raw.githubusercontent.comIN A185.199.109.133
-
741 B 4.1kB 9 10
-
741 B 4.1kB 9 10
-
793 B 4.2kB 10 11
-
695 B 4.1kB 8 10
-
747 B 4.2kB 9 11
-
747 B 4.2kB 9 11
-
747 B 4.2kB 9 11
-
747 B 4.2kB 9 11
-
747 B 4.2kB 9 11
-
793 B 4.2kB 10 11
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eaba572f1868d0e745116a9362512a4b
SHA1da5321b787b6b5a6d5761f53283d541af92a5d45
SHA256005ea2ac2df8fdbe0a46cb51e33b294921807b5a16ba34050e94210360d0468f
SHA51253fc2b70066fcce2ee5bf04557e28d8906e679d1330dcaa9cd7f98a25e9d07bec376ffc80ec6fa0a15c311357a2362a7c6f869e8d405e568aab67ac68641d547
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD514c1fff932873d8c4ec7448e0d79b4e0
SHA10e9b61762f1fd3d7da0221b224cf99646ebf9845
SHA2560487b079f3565ae4097792b35b1d3bd759c06e716f5f18b791df02e9bd0dff78
SHA512c2402a878d7ae816216a1d81328ec1e0712cb2d31819a92627240def935d94fb84b01643e3abaaffc1f87a39dffd62cd78e0fb7db4d754849ff9a5f42058d18d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e34be77d743e5c7b87b77f17dd2bf00e
SHA19a26a083191ead4d6fd5d6d653fb0a9f5a1b5913
SHA2560c384c97581ac0a04c954bf70a6e26a24727054f1281af2f0a160ce92d191318
SHA5120e091a236e85b5a0645a06a42811620e6f2ec92de48e4bbf182340186302b112e5b16b07c50754e1f01b4257cafed4777d4769c9f9ebb7554ec9c4130b5807d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56671bcea7342776a05c0072563655473
SHA143c4ceabe6e3d8e7d6f1cfcb31855fab72124a37
SHA256fb96c3a02e98a14d8b9b0b4724469c78deb8647302e8d6dfafdc252298d81117
SHA51223214db3ca67ec4d06de88c9b06d4b3121d5e6033d026c5eb63d33303b0a500d85e9c46f5ed8e9deb280e37c2aefa35576d972075a7d34623cb4becd0fc0ab53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5443c01fbe8528a007a1abe29bcb9ff47
SHA1a0c8bf5c9742f3bc18180ff70e3433abd31d7a63
SHA25607190fc82eb3592e45d9e32a6d6ec33cbe1860b22f9078da403cfe06b862d659
SHA5128f981529c76864874b01225d760a675d89ef596cabede9ef065f8a018106f3a4d8c0421e902e18a04ce3615f28b70ecb3a745669f8b5922241984fab96611ee7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5be570c79a937e027006599f57ae59467
SHA1f9ce965634fdf3c0e45982b23eb95a2ba9b20bea
SHA25651d7d1da58c1bf4efaeebffe3129ad6a103bbfc2535897df3113ed7a8cac55ca
SHA512f32a0debb98a11b03de356e3cf8df4933b84637dc4f83df7a805b697b51d1d2d1473a7de8b3b25f0880ec2a3e2e0190e0f1693951608d4e128759ea362ddd81e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ab392131668032a8e287a7dcbc39633
SHA180a9a45d358e9562b8236d41333c4b8c4dc72dc0
SHA256287db7ceefcaadd5832f406ac9bc32d2b3bd5967a24a898b9824e9fdc29c1f46
SHA512076bcd306885edf119535272489b8170fe7ac42fa2aa10233c7d10137f6a5a7946f240f648c36cd8fd4a2d235214c78c511a04ed25115c915745ab59c775f2ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54b59ddfd6178f442f4209d172a485ea0
SHA15be17719e889fae77eb3fb5ec4299c70a8542a1f
SHA2565c5f318ce6df15556fd552fc50a2ff157d83b8ff30d22dcd4bc764dc912e49ee
SHA51204c45cb15088597228f705fa095d12981d713df14fd6fea4f629f6dc71a2ceab2cfb6a8c6ecd273c012eddc7f26fe52ef8d6e95de2731aea2a713cc481872cc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD508035b57a1be16e2c0471bdf071bee08
SHA10b5a8fa7aa75dc83d12946b89ac2804af493a3cf
SHA2567a4cff50ef3f8c4277f1fd3d36738ab4e53e20c641e9e96013e3a68cc588f5ab
SHA51220a6cae3cf2ed4c0c4164e0e99ea949149ca3cb6ad3f6f668ef295e769c904cc5080677e057dbe03e68632d7764601cf63ab85f94121d49f35bebe994742de97
-
Filesize
225B
MD5d5e64f66b99dd8df35f369181d7ad2a8
SHA1e0e56a7bc30218a7831f8d4af531d729cd889179
SHA256b601a9e79cde9d29a167b86501b7d82b45e66a781f971ff0f2b097bde1e6bd53
SHA5122d86f85da8d9fbf0d84bb5f10fbc2b47d7cd5b121f0f1b98e06c7c21c813a0636ad686c75d8c25935d48bc62e28210ad8d55a9d2b3e0614a9d3e1a62c5f767d9
-
Filesize
225B
MD56b3f4bfd4960815f474f9006255c283c
SHA1f9044745ba8201f21685223c45aa2e33e995039e
SHA256718bdd16968cc3b0bc116f9b08bbd663fa022c77ca84dcf1b97fb13cfa0f637a
SHA5129b9335b7f3f849b637235749e53345ed535ee3d9ff58a2c449d7517d70e780df0a5bbe2ae4698a3d8b57d84d54f705413a18f7ad10e634ada54f0b88bdfbfb07
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD5e9eb103fd9f8b7cb6f93b0369bd045aa
SHA1b7cb174f9e59863376e0ef78ffbe27005d3e5e22
SHA2567ebf390695445d8b0198407a7a315037685047da183181611d45cea90e555455
SHA5125b610f980b879054e3dc5037e8b4ed306db57fb1201cac785be234cc929aaf3a4a5aa8129f346f84a9261d9678d367fe9351d862cc6e5d839650e99afda4eb59
-
Filesize
225B
MD5d0bdcde2c742b6238bd9ecc60f0f6896
SHA1dd974cadf760f057e3b2b7c5bdc109a6b1b8a08b
SHA2564ba4fe169cb6e06126c6874b14d3984ce0148c581da92248e4d0c92400f7cc94
SHA5129b8bcefeeae5faa3c96ba08d36344d4453d7339d3a044b6494b0c4d1b0052c1097c44428a3e4077040cbfedfaee69451b938ceae812ea2fb05e21f11a93408db
-
Filesize
225B
MD5a5d53b2eb942f402a0b487ae74486326
SHA1bef362c7f58624823893fcaf4d52d8df84b1baea
SHA2561be4615870c82435ea601d73ac05711d598935dddc726ecbc948227c419b5db3
SHA512765206027d98b37b8ea51970ee9479f6debea58dfbe4daf9311d786576d539dc7e8f0f917b6f0012ecac33b9e6d2dc65ad612d033cb7415ddd94a425131ed2db
-
Filesize
225B
MD55b3d19c7639c923ce7ccc0631bcc2692
SHA1a7c2e04f2f65b0d0a1fe7327fe600fe451e86c40
SHA25690de36f3c13a91b154fcff5bf1c26e758f25f01ea9a56195da8043144ac44405
SHA512d7ed3d44c14e821e758339ace146d7079d2270a38f93a5aa437a2eb5e3ca1e42057bc039fefe64fe108f242cb781984b0e903744d9bac282a345d98819bf0f3c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD58108138886f15e7cd9734b2fd4da4995
SHA118e6d8375f3b2ae400ea3b3d3bad51250d57a276
SHA2564e4d3e134685976c78c2589276669271d00ef93c4455725dcc4638f5c929748c
SHA512c551595030b8d535ff207b7d86a1283e73f02a6a72560ef2817ad959af3496977fb2e33f3d66a8eeef77da4e33a9186b0baf03c4b07b818a0c76595445f7f604
-
Filesize
225B
MD5c78d148f17c51dc72497baac67b9b0bc
SHA18e5247edfee22c3c59137201d7c9bf17cc842d3c
SHA256cceabeacbcfacc9f337a605b2bcea36facf960c301d18e00db83ff0814c93594
SHA5123b34654d8a337208219e31cfacb360a4189fa0d4270cfa6f8f9e189af30fc0aa33623c6f0a2ba4cc3b76d35c8b675f2c81ded0c6af44aa4c773d0744f18087d6
-
Filesize
225B
MD5a9683e00ddc0cd212f690d4099bbcad5
SHA189d9ae77114ab586cf70eea201b070d227e620e1
SHA2564679c179db3524587c88b0f8ecbac4788f9384a7a24b1f65769476f5ea6c860e
SHA51224dcfeaae14b3370270b284885e0e765d55a1a6b79f02e504c0f7bfcb53c254c0cd0bdab636f4f5c330cd0568fb4ab6cc69676e98a28b160d69d571ec3083c48
-
Filesize
225B
MD55520abe4c3a9f5c052a491104c15b244
SHA109de58f9f24ceb08ffc06ab9736d7caff7a89373
SHA256f67893efd1f71f3b875b056d671e362fd585b0d30df57e09051d6dbef430c6cc
SHA51202ee930e5c3c187f9a00b143958f811d505299e97ff804108d4c67c4540fd2a0f26de7b4839ed83088087acc3dc782b58d72c61748c07ffe74d10cb1da6f646d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DBWE7N58891RPDGLWTF7.temp
Filesize7KB
MD5213888529696536d33a80b6d57c28173
SHA190d59f38970ec03bbff53949923f0996725c6c8e
SHA256cab86cab3a0c404b5ce1b3ef44b60c52ff2518d6b4a3e92e54c4b4c01d747d23
SHA5125a56e80221852d6b5b32426679761b98c2bccfb015049afa22605b846f48007863dfec824f8b355fd5c7c9a1133327bcdca1e5e0c99dec2ac35bab8ce89d5027
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394