Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 18:29
Behavioral task
behavioral1
Sample
JaffaCakes118_08ca3c98f68a9ae9a0cc8d7ca065f186343cc4f301bea3bf2819587782fe1b1c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_08ca3c98f68a9ae9a0cc8d7ca065f186343cc4f301bea3bf2819587782fe1b1c.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_08ca3c98f68a9ae9a0cc8d7ca065f186343cc4f301bea3bf2819587782fe1b1c.exe
-
Size
1.3MB
-
MD5
999dbca104982487d7c973d524634fb8
-
SHA1
ca74174bfb55956f8801dabb3e685ebbfc3e1f50
-
SHA256
08ca3c98f68a9ae9a0cc8d7ca065f186343cc4f301bea3bf2819587782fe1b1c
-
SHA512
b963e6953441dc57a9c307c0e4ae1cec271e3d6c232c3b9e7c8063c4d522bb8c30e8f51a9ce5a507af1abb46a8e88312b5e3a3ff434b29dc0ea1d5af482fea88
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2808 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2808 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2808 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2808 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2808 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2808 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2808 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 2808 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2808 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016d3a-9.dat dcrat behavioral1/memory/2660-13-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat behavioral1/memory/464-52-0x0000000000240000-0x0000000000350000-memory.dmp dcrat behavioral1/memory/3064-112-0x00000000001D0000-0x00000000002E0000-memory.dmp dcrat behavioral1/memory/2308-173-0x0000000000B50000-0x0000000000C60000-memory.dmp dcrat behavioral1/memory/2268-234-0x0000000000D30000-0x0000000000E40000-memory.dmp dcrat behavioral1/memory/2372-294-0x0000000001000000-0x0000000001110000-memory.dmp dcrat behavioral1/memory/1556-413-0x0000000000350000-0x0000000000460000-memory.dmp dcrat behavioral1/memory/1600-473-0x00000000012E0000-0x00000000013F0000-memory.dmp dcrat behavioral1/memory/2640-533-0x0000000000340000-0x0000000000450000-memory.dmp dcrat behavioral1/memory/2356-593-0x0000000000F40000-0x0000000001050000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1464 powershell.exe 1088 powershell.exe 1912 powershell.exe 344 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2660 DllCommonsvc.exe 464 taskhost.exe 3064 taskhost.exe 2308 taskhost.exe 2268 taskhost.exe 2372 taskhost.exe 1000 taskhost.exe 1556 taskhost.exe 1600 taskhost.exe 2640 taskhost.exe 2356 taskhost.exe 1328 taskhost.exe 2260 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2252 cmd.exe 2252 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 19 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 41 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 9 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 37 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\Windows Defender\es-ES\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\es-ES\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\explorer.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_08ca3c98f68a9ae9a0cc8d7ca065f186343cc4f301bea3bf2819587782fe1b1c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2548 schtasks.exe 3020 schtasks.exe 1384 schtasks.exe 2604 schtasks.exe 3024 schtasks.exe 836 schtasks.exe 2560 schtasks.exe 2704 schtasks.exe 2588 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2660 DllCommonsvc.exe 2660 DllCommonsvc.exe 2660 DllCommonsvc.exe 1464 powershell.exe 1088 powershell.exe 1912 powershell.exe 344 powershell.exe 464 taskhost.exe 3064 taskhost.exe 2308 taskhost.exe 2268 taskhost.exe 2372 taskhost.exe 1000 taskhost.exe 1556 taskhost.exe 1600 taskhost.exe 2640 taskhost.exe 2356 taskhost.exe 1328 taskhost.exe 2260 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2660 DllCommonsvc.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 344 powershell.exe Token: SeDebugPrivilege 464 taskhost.exe Token: SeDebugPrivilege 3064 taskhost.exe Token: SeDebugPrivilege 2308 taskhost.exe Token: SeDebugPrivilege 2268 taskhost.exe Token: SeDebugPrivilege 2372 taskhost.exe Token: SeDebugPrivilege 1000 taskhost.exe Token: SeDebugPrivilege 1556 taskhost.exe Token: SeDebugPrivilege 1600 taskhost.exe Token: SeDebugPrivilege 2640 taskhost.exe Token: SeDebugPrivilege 2356 taskhost.exe Token: SeDebugPrivilege 1328 taskhost.exe Token: SeDebugPrivilege 2260 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1608 2052 JaffaCakes118_08ca3c98f68a9ae9a0cc8d7ca065f186343cc4f301bea3bf2819587782fe1b1c.exe 31 PID 2052 wrote to memory of 1608 2052 JaffaCakes118_08ca3c98f68a9ae9a0cc8d7ca065f186343cc4f301bea3bf2819587782fe1b1c.exe 31 PID 2052 wrote to memory of 1608 2052 JaffaCakes118_08ca3c98f68a9ae9a0cc8d7ca065f186343cc4f301bea3bf2819587782fe1b1c.exe 31 PID 2052 wrote to memory of 1608 2052 JaffaCakes118_08ca3c98f68a9ae9a0cc8d7ca065f186343cc4f301bea3bf2819587782fe1b1c.exe 31 PID 1608 wrote to memory of 2252 1608 WScript.exe 32 PID 1608 wrote to memory of 2252 1608 WScript.exe 32 PID 1608 wrote to memory of 2252 1608 WScript.exe 32 PID 1608 wrote to memory of 2252 1608 WScript.exe 32 PID 2252 wrote to memory of 2660 2252 cmd.exe 34 PID 2252 wrote to memory of 2660 2252 cmd.exe 34 PID 2252 wrote to memory of 2660 2252 cmd.exe 34 PID 2252 wrote to memory of 2660 2252 cmd.exe 34 PID 2660 wrote to memory of 1464 2660 DllCommonsvc.exe 45 PID 2660 wrote to memory of 1464 2660 DllCommonsvc.exe 45 PID 2660 wrote to memory of 1464 2660 DllCommonsvc.exe 45 PID 2660 wrote to memory of 344 2660 DllCommonsvc.exe 46 PID 2660 wrote to memory of 344 2660 DllCommonsvc.exe 46 PID 2660 wrote to memory of 344 2660 DllCommonsvc.exe 46 PID 2660 wrote to memory of 1912 2660 DllCommonsvc.exe 47 PID 2660 wrote to memory of 1912 2660 DllCommonsvc.exe 47 PID 2660 wrote to memory of 1912 2660 DllCommonsvc.exe 47 PID 2660 wrote to memory of 1088 2660 DllCommonsvc.exe 49 PID 2660 wrote to memory of 1088 2660 DllCommonsvc.exe 49 PID 2660 wrote to memory of 1088 2660 DllCommonsvc.exe 49 PID 2660 wrote to memory of 2520 2660 DllCommonsvc.exe 53 PID 2660 wrote to memory of 2520 2660 DllCommonsvc.exe 53 PID 2660 wrote to memory of 2520 2660 DllCommonsvc.exe 53 PID 2520 wrote to memory of 2892 2520 cmd.exe 55 PID 2520 wrote to memory of 2892 2520 cmd.exe 55 PID 2520 wrote to memory of 2892 2520 cmd.exe 55 PID 2520 wrote to memory of 464 2520 cmd.exe 56 PID 2520 wrote to memory of 464 2520 cmd.exe 56 PID 2520 wrote to memory of 464 2520 cmd.exe 56 PID 464 wrote to memory of 2260 464 taskhost.exe 57 PID 464 wrote to memory of 2260 464 taskhost.exe 57 PID 464 wrote to memory of 2260 464 taskhost.exe 57 PID 2260 wrote to memory of 1720 2260 cmd.exe 59 PID 2260 wrote to memory of 1720 2260 cmd.exe 59 PID 2260 wrote to memory of 1720 2260 cmd.exe 59 PID 2260 wrote to memory of 3064 2260 cmd.exe 60 PID 2260 wrote to memory of 3064 2260 cmd.exe 60 PID 2260 wrote to memory of 3064 2260 cmd.exe 60 PID 3064 wrote to memory of 3032 3064 taskhost.exe 61 PID 3064 wrote to memory of 3032 3064 taskhost.exe 61 PID 3064 wrote to memory of 3032 3064 taskhost.exe 61 PID 3032 wrote to memory of 2668 3032 cmd.exe 63 PID 3032 wrote to memory of 2668 3032 cmd.exe 63 PID 3032 wrote to memory of 2668 3032 cmd.exe 63 PID 3032 wrote to memory of 2308 3032 cmd.exe 64 PID 3032 wrote to memory of 2308 3032 cmd.exe 64 PID 3032 wrote to memory of 2308 3032 cmd.exe 64 PID 2308 wrote to memory of 2988 2308 taskhost.exe 65 PID 2308 wrote to memory of 2988 2308 taskhost.exe 65 PID 2308 wrote to memory of 2988 2308 taskhost.exe 65 PID 2988 wrote to memory of 1088 2988 cmd.exe 67 PID 2988 wrote to memory of 1088 2988 cmd.exe 67 PID 2988 wrote to memory of 1088 2988 cmd.exe 67 PID 2988 wrote to memory of 2268 2988 cmd.exe 68 PID 2988 wrote to memory of 2268 2988 cmd.exe 68 PID 2988 wrote to memory of 2268 2988 cmd.exe 68 PID 2268 wrote to memory of 1376 2268 taskhost.exe 69 PID 2268 wrote to memory of 1376 2268 taskhost.exe 69 PID 2268 wrote to memory of 1376 2268 taskhost.exe 69 PID 1376 wrote to memory of 3044 1376 cmd.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_08ca3c98f68a9ae9a0cc8d7ca065f186343cc4f301bea3bf2819587782fe1b1c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_08ca3c98f68a9ae9a0cc8d7ca065f186343cc4f301bea3bf2819587782fe1b1c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PHda4ELHtF.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2892
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1720
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2668
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1088
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:3044
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"15⤵PID:1468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2352
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"17⤵PID:2752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2600
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"19⤵PID:2376
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2004
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"21⤵PID:2400
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:3008
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"23⤵PID:1860
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1660
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JbtrqXgYk1.bat"25⤵PID:704
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2172
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat"27⤵PID:1132
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:980
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD548de7ae9ee3f03f395ce655823467a95
SHA1ffcdd3419e597ce6245e188969c620a0f43f1ab7
SHA2567c5dba7149170705525106fe420b4d6cfc1ba47caa7126ef4f094ff63179f9ca
SHA51249f926a1d6fab0d39ddbab836e4135c67be0818bd0d785292cfa5805c7b0a668b22e6fbcbbece269917709006514a91c6972bb064c0fc366967609f3d7be41cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b471234e14eee159389b25f621574c4f
SHA1561c34484c028bb27d4f01c6191b2563fb582886
SHA256bffae90387d890a811f53e412a8cba2d1da7e4a517772c6e851be3305945b18d
SHA512ac2d28ee07305dd2778d25a137e5706eeb2506db87c482092212401c95d5d60d2f03983aacf976dcf98880cff4933b79bae1e044fc088e8a36f943dba354d5d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD571f591bd9c341d6f9a531733c0b303ca
SHA165e8106e9e785ec766bd6b357319cf23d819f532
SHA256f1ebaf98372e1019d2f8b10844f8834e88a6f311579fc95e9bbad1e81b1ddbbe
SHA5129df82e03d5435a08ca0f1b7e47464515f6b1a9e28594519bb45732b39750fa15fc1200f84577c85ab6ca1f95e61a2915fe9d4212565adce9a5a3020e067f358f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD508a3d52046ab185eadc89bdd549c80a4
SHA1468b516297c425d70fbc333186df14dac613d3d0
SHA256594361d8fadc28428a2b040ebe4ea405381a9e0a80f5bb41ffc08853353c0571
SHA5125889bc21244fd845347c3a9e36ce05d71ad4e03a2d488b22d86f4ef302f6f8da3679fe920199408d72e0d150bdecc9f591f022556e398f7ffb73cf9fc3ce2b5a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a6027b721a87e9d59b9041bf1beb6586
SHA116846bb281ba76a22a7c8560c3bdb40fd4b3d470
SHA2563c4d349fdcdbb5d01267a9fe8d5eb7c028989a2b833af204a490fc8b5748774f
SHA5124cafa28327a3751e99b06fe5c9cf724497fc199c8b6695ba46e7576d1b5c4244b4a036b911514f02be38c6d77aabafe0b3ec1386f401fb60e92c1f4bc3a0287f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52f38e611a6b5b5d4a11f3ded39b4de3c
SHA1b17f89aec3fa34a1d4929e6dcc57d3402fb8c780
SHA256c169f9c2f89d4d0a88e11c39e1bdec696077564f6f40c21fd22cbe1a4ed46cba
SHA51293661cc1fed161aca939d20269065ab9147a42c9bd304443d04642369d3069fdfae3ae2504968f00a49553423eb4768b2192a967b87851e337ed82cc0be95ac1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55fb57af6d3824856e37a8d91e0e698bf
SHA10da66b7b64a2086bd185d21d3975f1b36d7a2db3
SHA256875794dfe07a90e92463ef55390dc2691efadddeec721cd44203a8dd4667a0e6
SHA5124e98035aae416fe99fd4c6f14b40efa350716efc92893a885cf72343f51dcaf421fea018cb6e4640139eb54ea8f5776d683575aff08f4d1489ac7c82ac4fc033
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5303c6d0c66eabb64eeb915ad997533f1
SHA195ee60c58c7bd88ed3d62a1e2311f7467ea49266
SHA2567d5ff84f2340759dda3d886906a09a77ccb73b570779bf97547153bd85029880
SHA51282ae5a99fc779a44def04110d44264da89748cc835e0031894292219344077d986d9665504ef245bcf8207098f8d0ab481a8eae4a10703cf71dc0bbe2176fc59
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b173a81470423843dd7de13a92797a3a
SHA1e873ea08dc301be7bec68a29a32fb74a56470c7f
SHA2561171275032c80889af9e2e33355fb2df0e0525ece5c7ae83f389cab8662cd5b8
SHA512d363f2dc78a5663fe79f32307a069156c78433b8a0d16f8e33eeb7326e04a0b761ac9b8a75ef6a686b39d119f9efe6d2ab9964830418742cc0a22d4bcd0a213b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df594a6043496cfa5117e76eff2da5f2
SHA113f614f67332e000110aa6ff61b4dd23a006fe6f
SHA256338c18cb0ea9165413e15da6b16acf33e69edf830e14294654fc27bfec97ac52
SHA5128f6741be5c9bf1d2f6ddeb93a00ae2d280c966aa09864db48dbc5986cf7fc2063415326eca21e8b80a33c079ee5359127f340c55a59a35af6a824f3e7cf125b8
-
Filesize
226B
MD5333b68de93ff41d74563b077a91e37a2
SHA1e5c66c9cb734f92f961d26f12e89cc0825019607
SHA256adf3179209607c0c56c6dd06f88933de9cf51a0075fa18aabf142b07dd9e6719
SHA512f914db2403b22d49d8f4f61cbadd6d0d94188fc66902500ca6264f6b99eeae1b77186b9b732f3c8d13ad5cc7b56596d7eaf3cefc909636521b6771cd4aa6bf0e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
226B
MD536ae489fcbd4021d24aa0f4ffaf9158f
SHA152a2845d76e022fcdc7ea7816d2ce8bad11ae6b0
SHA2560aaec10c4e5ba860f8ffced045f8bb48b1f2ff0ead0117933a3d1a48c1e167bd
SHA5127cd23be7da0eaf20171ac12fc5e383d63af779a82b10b9867164f332cd26394917c9a29a20f51a996c5e688a5e8609064d831ff79fa34c78cd51f125a926271b
-
Filesize
226B
MD571d0684222a2aa13878cf42875436515
SHA1b33bb115663dfdacaf6ec061c7e6be07db6a4161
SHA25683e4c4b0d909f0a6d328697e015d4910e3bf066daa90b04d261d0d70cb1bd73b
SHA5120a2c178ff6cbe5d6009f9c9e507e2e11b675ee794ffbe20f413e8ea4577fbb60b8f28971368eebc4eb6d33faea3561ad0dce155aa977802b0944feae8b03db75
-
Filesize
226B
MD5361d56e4e533b36c4165cef8e7d07c9a
SHA10c913a585ad11e2f45c84ba4e841ff48ecf3f6ab
SHA2562a209390827d9e356ce02ac8669234f29850111f3f0a7d774a47d553ea73790e
SHA512fe2b280cfff0a55cd075ac44bd37db9b906bc0a0e1931c3ab0219ed77de668c862c2c71461068d192c8ee84b0b965964cd7196f65434250fc29a15ee1199d671
-
Filesize
226B
MD5ff1334c6bc40a89dcede8918d62f6dc0
SHA1eec75e26b7ee00eb99803404131724c6d3a06b19
SHA2569d49ce24944a62e03eabdbefcc84772d6fdaf6a6d77ff95d834da86d2c7e43a9
SHA5121b55a0d5e28c52c200adaefd9156fa59357f7ba4981c5a27d3dac453421622985dde962ce4f1f24905515ebbf38c5bc382bc9884167de60c91302d1d37801ac1
-
Filesize
226B
MD55d1cd61a299e0900bbd180135c7d71e2
SHA154df65349509a640cc9a3a09540b0cdce64aeb90
SHA256847614d408ebcc9c9fe3e41c5de48687a08351167e1c0c77b3776fa32f78a574
SHA512822d9a1c42ca1e47de502f95d7881e900cac53ae569053f5e43042714e1fb0d576dc8ce743e6ab30f7778f248eb451724b87eb029c37f334567c205dbf1658b0
-
Filesize
226B
MD55bcfb924c427b2133130d4212b581010
SHA1e1d8cf267d5f7bf93b53a99ff0f989b5ccf06ea8
SHA25607ab06308034abf8d1bf48c1edc69786b036b5f661db81c9df8943b67bf12550
SHA512b65456419df8f8faef403c03e9932fce1a79e829acff8c61361891e248cdead7cb17a9b42e742fbef9273b32792ec2838f71c42b72c4b99e811da6113f8084d4
-
Filesize
226B
MD5ad67f9926597218077b3eab70c38c09c
SHA1e2560bb7f144b74bd724271664d988a7037fa189
SHA256683f711ee0942abb5eba0b65dd76907851c41f64e7dbeffb5eef1ba9a42af4f2
SHA5127972bf87bb9f68c356f0d6bff4e4358befc6a7d7474cefd6210353d1e6c4642a0095efaf46e502e6c6c424d60e74540e0ed83ba17e83f577b580a4dea574ddba
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
226B
MD5536ce8115be9a656d80c588f34c23514
SHA1fefa716c4d221de39b4b85157826f267e0fb8c79
SHA256cefa97c529a58f51130d2773ccd85f41e73d1aa59c2061e9d62031ddafe8d425
SHA512c7b0179752c2612247653a90172ecc0cbe6ef14810825f41084b525d010577d4f9dd7178fde3948849e98edeed9aeb68a32bbe7d71d498f8f31414950b76193e
-
Filesize
226B
MD516ce60a1e712f87a5d9852a803a2c5db
SHA1639d64aac73ffef1397a6c20adf0fc49d24efea5
SHA2566cd9d75a55be88e3319d8cc7bc7d97797ad8d5050ee3685c2c4342b0d03e9853
SHA5124dfad06f109352f27dcd23c0d95235a0f1e3f9c39e672d9abcea3c425757fae373dae77731cdf86b19eec98a7c359c5e5f130cbc860efdb7dc8a02d9087afba7
-
Filesize
226B
MD54a6276aa0acecc751bf0a981d640eb19
SHA1e0064742bf355253b9c52545a03775942d2ea213
SHA256dbcf44b3ce4da087dee9125c2eb850dd64f4dd8095a419b673e6bbc067c8405e
SHA51271d69e1175e4777d7e7625e8ccd40e4237725c24750a54639d17c801e6e818edde8f54aff02f87f9c18772eb9b57afe8b3216db6440fcb484c062c04a99597f3
-
Filesize
226B
MD522ccf2fb13a02906fe3699f02e3a3d1f
SHA1573585e0130366b4018976922434414fe2cc7f37
SHA256ed0621b946239d5c3cc7505e1890a16d9964baec0f6a370da749936b5a3e269b
SHA5123fc6a71a5f06986f4a900f4a9d46276da83fc4a5bdb265ccc5b07f8fdc49ba442c44398701fcd748922031e1234e74fb715497edabdc179f9c45b7dcc90f4941
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5dce258a458437cf9a6484ebef7999554
SHA1d1563f248f0ca5945ee17db1b4589ccfc2b8f040
SHA2567d1559441dcbc1a9ef1241ff02603d69fd308b58beb8e5079773734945fb4e25
SHA51273dd2c03fe5b84edf4a17f696093cdd60e9833994a336bf878832d7b5cffc36405f31fcb281e47bd1b96e9cc49d49ff527d0c361065c2b6c276b78b27f04b017
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394