Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:00
Behavioral task
behavioral1
Sample
JaffaCakes118_09bb2fc1d6ae1f505da4da171f7d1c81b44a90f02de42de5f59d75f2ecb1d51a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_09bb2fc1d6ae1f505da4da171f7d1c81b44a90f02de42de5f59d75f2ecb1d51a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_09bb2fc1d6ae1f505da4da171f7d1c81b44a90f02de42de5f59d75f2ecb1d51a.exe
-
Size
1.3MB
-
MD5
2e6850c593498f606be85fa2e55c0c9b
-
SHA1
55b79e969e50cf72c15f7df123d51ded5db70782
-
SHA256
09bb2fc1d6ae1f505da4da171f7d1c81b44a90f02de42de5f59d75f2ecb1d51a
-
SHA512
179318b9c8b9120d827576e39c9b57e90f1605790a8161511e7c76e0c0c6f43e4b24da0873546ca03e8845c9da32a6a913b9219cb230299c56d40bb554ae05d5
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 524 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 296 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 3016 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 3016 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000019261-12.dat dcrat behavioral1/memory/2892-13-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/2112-36-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat behavioral1/memory/1092-132-0x0000000000920000-0x0000000000A30000-memory.dmp dcrat behavioral1/memory/916-252-0x0000000000A80000-0x0000000000B90000-memory.dmp dcrat behavioral1/memory/2204-312-0x00000000003E0000-0x00000000004F0000-memory.dmp dcrat behavioral1/memory/1092-373-0x0000000000C90000-0x0000000000DA0000-memory.dmp dcrat behavioral1/memory/1988-434-0x00000000002F0000-0x0000000000400000-memory.dmp dcrat behavioral1/memory/1648-494-0x0000000000ED0000-0x0000000000FE0000-memory.dmp dcrat behavioral1/memory/2184-554-0x00000000002E0000-0x00000000003F0000-memory.dmp dcrat behavioral1/memory/1912-614-0x0000000000F80000-0x0000000001090000-memory.dmp dcrat behavioral1/memory/2108-674-0x00000000010A0000-0x00000000011B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1700 powershell.exe 2060 powershell.exe 1648 powershell.exe 1000 powershell.exe 880 powershell.exe 1768 powershell.exe 2440 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2892 DllCommonsvc.exe 2112 taskhost.exe 1092 taskhost.exe 1820 taskhost.exe 916 taskhost.exe 2204 taskhost.exe 1092 taskhost.exe 1988 taskhost.exe 1648 taskhost.exe 2184 taskhost.exe 1912 taskhost.exe 2108 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2604 cmd.exe 2604 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 35 raw.githubusercontent.com 27 raw.githubusercontent.com 31 raw.githubusercontent.com 34 raw.githubusercontent.com 39 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\fr-FR\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\fr-FR\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\ebf1f9fa8afd6d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_09bb2fc1d6ae1f505da4da171f7d1c81b44a90f02de42de5f59d75f2ecb1d51a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 524 schtasks.exe 2380 schtasks.exe 2452 schtasks.exe 2260 schtasks.exe 2448 schtasks.exe 1972 schtasks.exe 2144 schtasks.exe 1148 schtasks.exe 2948 schtasks.exe 2184 schtasks.exe 1704 schtasks.exe 304 schtasks.exe 1284 schtasks.exe 3024 schtasks.exe 2548 schtasks.exe 296 schtasks.exe 2036 schtasks.exe 1316 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2892 DllCommonsvc.exe 2892 DllCommonsvc.exe 2892 DllCommonsvc.exe 1000 powershell.exe 880 powershell.exe 2440 powershell.exe 1700 powershell.exe 1768 powershell.exe 2060 powershell.exe 1648 powershell.exe 2112 taskhost.exe 1092 taskhost.exe 1820 taskhost.exe 916 taskhost.exe 2204 taskhost.exe 1092 taskhost.exe 1988 taskhost.exe 1648 taskhost.exe 2184 taskhost.exe 1912 taskhost.exe 2108 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2892 DllCommonsvc.exe Token: SeDebugPrivilege 1000 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2112 taskhost.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 1092 taskhost.exe Token: SeDebugPrivilege 1820 taskhost.exe Token: SeDebugPrivilege 916 taskhost.exe Token: SeDebugPrivilege 2204 taskhost.exe Token: SeDebugPrivilege 1092 taskhost.exe Token: SeDebugPrivilege 1988 taskhost.exe Token: SeDebugPrivilege 1648 taskhost.exe Token: SeDebugPrivilege 2184 taskhost.exe Token: SeDebugPrivilege 1912 taskhost.exe Token: SeDebugPrivilege 2108 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2780 2076 JaffaCakes118_09bb2fc1d6ae1f505da4da171f7d1c81b44a90f02de42de5f59d75f2ecb1d51a.exe 30 PID 2076 wrote to memory of 2780 2076 JaffaCakes118_09bb2fc1d6ae1f505da4da171f7d1c81b44a90f02de42de5f59d75f2ecb1d51a.exe 30 PID 2076 wrote to memory of 2780 2076 JaffaCakes118_09bb2fc1d6ae1f505da4da171f7d1c81b44a90f02de42de5f59d75f2ecb1d51a.exe 30 PID 2076 wrote to memory of 2780 2076 JaffaCakes118_09bb2fc1d6ae1f505da4da171f7d1c81b44a90f02de42de5f59d75f2ecb1d51a.exe 30 PID 2780 wrote to memory of 2604 2780 WScript.exe 31 PID 2780 wrote to memory of 2604 2780 WScript.exe 31 PID 2780 wrote to memory of 2604 2780 WScript.exe 31 PID 2780 wrote to memory of 2604 2780 WScript.exe 31 PID 2604 wrote to memory of 2892 2604 cmd.exe 33 PID 2604 wrote to memory of 2892 2604 cmd.exe 33 PID 2604 wrote to memory of 2892 2604 cmd.exe 33 PID 2604 wrote to memory of 2892 2604 cmd.exe 33 PID 2892 wrote to memory of 2060 2892 DllCommonsvc.exe 53 PID 2892 wrote to memory of 2060 2892 DllCommonsvc.exe 53 PID 2892 wrote to memory of 2060 2892 DllCommonsvc.exe 53 PID 2892 wrote to memory of 1648 2892 DllCommonsvc.exe 54 PID 2892 wrote to memory of 1648 2892 DllCommonsvc.exe 54 PID 2892 wrote to memory of 1648 2892 DllCommonsvc.exe 54 PID 2892 wrote to memory of 1000 2892 DllCommonsvc.exe 55 PID 2892 wrote to memory of 1000 2892 DllCommonsvc.exe 55 PID 2892 wrote to memory of 1000 2892 DllCommonsvc.exe 55 PID 2892 wrote to memory of 880 2892 DllCommonsvc.exe 56 PID 2892 wrote to memory of 880 2892 DllCommonsvc.exe 56 PID 2892 wrote to memory of 880 2892 DllCommonsvc.exe 56 PID 2892 wrote to memory of 1768 2892 DllCommonsvc.exe 57 PID 2892 wrote to memory of 1768 2892 DllCommonsvc.exe 57 PID 2892 wrote to memory of 1768 2892 DllCommonsvc.exe 57 PID 2892 wrote to memory of 2440 2892 DllCommonsvc.exe 58 PID 2892 wrote to memory of 2440 2892 DllCommonsvc.exe 58 PID 2892 wrote to memory of 2440 2892 DllCommonsvc.exe 58 PID 2892 wrote to memory of 1700 2892 DllCommonsvc.exe 59 PID 2892 wrote to memory of 1700 2892 DllCommonsvc.exe 59 PID 2892 wrote to memory of 1700 2892 DllCommonsvc.exe 59 PID 2892 wrote to memory of 2112 2892 DllCommonsvc.exe 67 PID 2892 wrote to memory of 2112 2892 DllCommonsvc.exe 67 PID 2892 wrote to memory of 2112 2892 DllCommonsvc.exe 67 PID 2112 wrote to memory of 2016 2112 taskhost.exe 68 PID 2112 wrote to memory of 2016 2112 taskhost.exe 68 PID 2112 wrote to memory of 2016 2112 taskhost.exe 68 PID 2016 wrote to memory of 2444 2016 cmd.exe 70 PID 2016 wrote to memory of 2444 2016 cmd.exe 70 PID 2016 wrote to memory of 2444 2016 cmd.exe 70 PID 2016 wrote to memory of 1092 2016 cmd.exe 71 PID 2016 wrote to memory of 1092 2016 cmd.exe 71 PID 2016 wrote to memory of 1092 2016 cmd.exe 71 PID 1092 wrote to memory of 2824 1092 taskhost.exe 72 PID 1092 wrote to memory of 2824 1092 taskhost.exe 72 PID 1092 wrote to memory of 2824 1092 taskhost.exe 72 PID 2824 wrote to memory of 304 2824 cmd.exe 74 PID 2824 wrote to memory of 304 2824 cmd.exe 74 PID 2824 wrote to memory of 304 2824 cmd.exe 74 PID 2824 wrote to memory of 1820 2824 cmd.exe 75 PID 2824 wrote to memory of 1820 2824 cmd.exe 75 PID 2824 wrote to memory of 1820 2824 cmd.exe 75 PID 1820 wrote to memory of 1000 1820 taskhost.exe 76 PID 1820 wrote to memory of 1000 1820 taskhost.exe 76 PID 1820 wrote to memory of 1000 1820 taskhost.exe 76 PID 1000 wrote to memory of 1768 1000 cmd.exe 78 PID 1000 wrote to memory of 1768 1000 cmd.exe 78 PID 1000 wrote to memory of 1768 1000 cmd.exe 78 PID 1000 wrote to memory of 916 1000 cmd.exe 79 PID 1000 wrote to memory of 916 1000 cmd.exe 79 PID 1000 wrote to memory of 916 1000 cmd.exe 79 PID 916 wrote to memory of 2432 916 taskhost.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09bb2fc1d6ae1f505da4da171f7d1c81b44a90f02de42de5f59d75f2ecb1d51a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09bb2fc1d6ae1f505da4da171f7d1c81b44a90f02de42de5f59d75f2ecb1d51a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\fr-FR\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Updater6\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2444
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:304
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1768
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"12⤵PID:2432
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1132
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"14⤵PID:2548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1052
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"16⤵PID:1980
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1328
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"18⤵PID:2620
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:588
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"20⤵PID:2456
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1808
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"22⤵PID:328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2344
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"24⤵PID:1920
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2972
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\fr-FR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53c88f1226668945849371d3df4620746
SHA18108f03e996b585b3dd739232e3f30e9d5230b73
SHA256223207d0c58c33be9c34be987dc2044851b10db85f05e4330bcfce042a267c6f
SHA5123cb0358437bacb5d374dd53fa4b055217e85545a09a29ecab632012fe483d0f092e3a317bbeb7041675fee145e4cf62b61276b4a1ff6f6acf190393fedeaa5c3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c3524d4c53df321134e6474517e7dac1
SHA108069f5dd277e0cecab3c6c58c008bee3a08d4cd
SHA256c7e9a286d08132f9ce22ad9a3262ae036325fd768e957773a3914a812cfcc4ea
SHA51258c40b942875db12e9a63e0306b3f27e4a30ec7649987614579169de3ecd7843f48ccc886749977aff7f026a053b569dcc03d63c569e29f40d0d9f7b884da783
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f9122914eede66bb2d3ecd436be2620
SHA133c8477faa0b0fd7903db217b0c44072871f4090
SHA2562e3558068d0a87b2670aad16b5955a3afa8fe64a214ab36ce5f4a53973a8d6c2
SHA5122814f8cd11f378aa72c4deb2ce7cb4b6e737a11fc80a472fa525907b6318dac3e3358ab6905e1ae2b06cacf5177674bd4059f0d098c2210ef5cdab11333fc569
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0b2498b7fac6ad4a969819cf7695b5c
SHA1eb159242b67f015bdaee0f9ae08baf6371c737ff
SHA2560d126aba34c42f01c51f8e81244662779a0272b203454663cab773224f1f2bd3
SHA512fab6209b2e9307a9365c79a05e92802e90256c3c659b52af5f5132cd99382adda988300e46dae208d4dad0de5dd9151ef46bab57953214fa7b459f26d6d2a9fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b74989f79c0300a59a57e36be9e82edd
SHA10848338e28b1a0c74db88f4a814536005bfa3037
SHA256b3735efd08dbbf2946ff07ce208e508cf05790c14effc8e71fc2ab8ce5d69057
SHA51285981b6aa2ce16c432f08ce9818be1c46c96afcd60351745d9af9cbc7e17726331cc964faf896063a69d902ba1f4ef9d5bce9de4892e8cceb314ca8077a59f7d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD538f0d332e5780a77ab895d924b55278e
SHA1af3bbd44eb93dbb79e238aebd579ec9501171d8c
SHA25670aabdb320d8397a0047806e8a8e3383e5cdd30e9e83f417281c1c904a65a855
SHA5121f8e58334bdb1f9088dfc45755fb90f9cc24f8b85abe226ea44908e7249b91b09b6f9f536fdcf2aa112759d312056b503bd07b52c3988cecd1282c9a2222a03e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b43a1c0d4a758cdb5e5db4433df3cfd5
SHA14a3a5b211a7a9e530db1a6feb3cdaf116b432a9a
SHA256b3e8b8cdb3feb5004e613dc284b465c5d3956f8e2edc0d5be0d86af7ee2abd68
SHA512827020c0ec1bf6c59e18641d654b27f7fd69786230dee59e99c5fa9df82eaf3906a1a1de3d85efe1a38a8b135181d9c7df02aa67f9696a0abe30fe50fcaf9c11
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD538dca6c458a77590b0625520d569aecd
SHA142b36249c41c045f07b4b20e233571cf749b92d9
SHA25658e6d4697e8ad23b6c67d900ccb8d4f8455e56528e66872c352ec666831bf2dc
SHA512147102f070f44dfeb3a95001bb58edc78efe761e3d8b32b8ade4e651c1b6b4551075c706e644e63d5109d29fde608b05b2ac748047e243ed8422db9597afea23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54490d2c2178e67144ac0ca016695f965
SHA124e1188da713a9c3515a96e59054676b6e082c5c
SHA256e522c5e58664a5d12a094494006be90fa6dd3aee5536cda3bba43b0717523fe8
SHA512de3966aaa9641a492938c5b51b6d9bc31218ae39b441413455688c327268d9fdeed8f78c5f2d55253904b4032e6b95b36c44f6b955a040f14038623c744ecacc
-
Filesize
226B
MD5cada24b7e92bcf70a803fcef2dbbff9c
SHA10b9759e5bf6f416174489944db0bc2eb20d18cdd
SHA2567ae8c89e8768128ce6f75e5611788ed3b3d8ec9166bd59d53957079fe153d60a
SHA512d84a8a7378af7940514cbc533fe5050b2ff0f6f67e8b082f7f0eac1882efd4a1134f4d06fa747589e887f8b2f6744995ecc164c901be175cd083bb486ed8a726
-
Filesize
226B
MD59c64af4eacf547302161a2ac25e19e0e
SHA12c26d35739dcae45d94c091825b8b1d6516f893d
SHA25633062a47792cfa8427d2c689327f1606f0c2434fc5d97084fd02e1aef5e7fa3b
SHA51261a7bb753d09fe29cfbd6931e92e9642bcb9c69195a96a78080f7a31fbfcac24a2867aead63d41d4403a46a7afb2f86978a19794753870d884a72fcadfd00bfa
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
226B
MD51cde9b1004c8d952f697ff12a4930199
SHA1ed235ae54564df017ca731fb5eb477e054a8815d
SHA256b05f343566f3ee291ddfe66e2dfee03212b416c627680c8bfd68985cd04c462f
SHA51242a67537092f4c11071fd69d582a2102ac6ea110847eab226b404ca3916a3dfde4cd25a7b05122d45f1e586c423ee494a134d04b60561414465ea6fcfce09012
-
Filesize
226B
MD5ebf6658e3d52c61e7d6922cdbe3d9d4a
SHA1da3ceced5df567ce0b24d2722c99def49ca54305
SHA2565e0ac7e26f809bd849713c2961c2e3289646bec0bf6c3b2c2eefd1b20df80355
SHA512460abcdd1913f3d042085ad2bfb51d4c282c8cae37720b2df0ca13d5f4c9b1e9a58be7debbf814e3d834cabc06f6ff9692dddc751a032676004f8a114a48609b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
226B
MD555239dc180ee63d312535d8d6f85d68f
SHA13fd57d5d4fa3f5e0d5c04e30d675608174cecd3c
SHA2566ab697373eddce8964532cbed7dd1a48652b6cb14058f18df3e8afc0af103f89
SHA51258080c876da1974d6c0e018375837648bdf6c42fc807cafdb3d70ab0287b707d3a6c9b392f887e1418501cc21f8bd970e221647900fcd41f36be99f9ffefc927
-
Filesize
226B
MD5a8b1accee96116e77b2e78e9cccbfecb
SHA14b1cb259fcbbf97f02b7d8fb2e0ce72a183f5a6d
SHA256cdfbceaf13f579e81c0534bf52d7e38c2245b598a1299820a23b4ee587b97880
SHA5125059cc0d460c1566ad5f473419556b9a1333a0f8430c2cb92913e5bfded922660aca738b2b861d79c61e2c751f03c8c1127b5b1d2eda156a5f97670e1f36b67d
-
Filesize
226B
MD5d4c7fa6b1243f69b08f23e88327d4872
SHA1cd275659d6ee3670db66738a40a1a76b50d1167f
SHA25614878269b0f4243cd67e1cb3f23e219f988b9ab384e38fa81dea018064797426
SHA512051eecd7c900a663fc0cb93e35e11670971d458f917f1ee58e369aa0e79c6b83f42010b43a7e520e1f74704d54d157f3636a4de58f595b882bc63df6eaa72796
-
Filesize
226B
MD55f62b621c1010b9e50ce8e7e85ad1717
SHA1240312e75f357f487b1c0cc2520da24be0b0773f
SHA256844bf657b0b28da49764dbb15fb9c1794bd821bcb5de18451360db3cf88865e6
SHA51226152bec515c613ea4d6d792b7896917abd4c95608f68ef47f11e2365d3683c147697725d0415c60a6e017a1ebf77b1ebc760a13acb3b55e512b88d7574cd728
-
Filesize
226B
MD5319f4e47d47ccf36e61e8f12625bbf3d
SHA1512ea9173bedcc1722dd2b62b9cb6685b77e3a11
SHA256a84e71bd50132751e95b5cad8fc7df0ff79958b024249dd886ac34649c361800
SHA512f42e8811d7feec6a29d09f0fb9949973930b0385112676c3d8a34d93583245b4202071eaa5af677d73e1127d4ea604704cf206c4b3e094489cae74fcee5e26bc
-
Filesize
226B
MD509e95b7007ae999a078e1c634a493df3
SHA11ea961c5c27e291a3dea153d5a4e4d87c5c218db
SHA256c0a7d09b279bedb870114557a82f303bec6a8efad692269d25102f2039aa9d86
SHA512cd67ddd235fc9b93fc49a3deed0c2bf366930ef650015168e7ebf18d77b8bda1e2b0429733ed235482f202a40d94f3003c4fc1351dd5c6d99b72aae2fcccb300
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD591e756ebe32207760e6b7510292ad1f3
SHA16bcad86d0ce089e69c251db7a9f4f4266e19532c
SHA2565a550f77140d5afb3269c9c62e0b4c022826f4b252bd3f59af8ed156f82aca6a
SHA512d1bc7fb6fc73a12cea9496dbb4e89d1f6caf473378e224ec59861bc727616b1eb2da4ec20b26f6e45453295a65d67d33bfba747f09a0522db2789385e76dc63b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478