Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:41
Behavioral task
behavioral1
Sample
JaffaCakes118_940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe
-
Size
1.3MB
-
MD5
3019281f6a1d25674cefdb7741a59320
-
SHA1
24dc42c1e757d0e98f8cfd93fc7cfced6f1d4f9d
-
SHA256
940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4
-
SHA512
589f55abaa01d221cad6ecb86ef6ba191e87553b1ac7640c220526ce6dc7eec5702e816076b554c37283af082b0f58ad63fc7b241d8c4c4543413494ede9437b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2208 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2208 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0007000000016d71-9.dat dcrat behavioral1/memory/2776-13-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/1752-40-0x0000000000B00000-0x0000000000C10000-memory.dmp dcrat behavioral1/memory/2224-190-0x0000000000050000-0x0000000000160000-memory.dmp dcrat behavioral1/memory/1184-250-0x0000000000C20000-0x0000000000D30000-memory.dmp dcrat behavioral1/memory/740-310-0x0000000001350000-0x0000000001460000-memory.dmp dcrat behavioral1/memory/2760-430-0x00000000001A0000-0x00000000002B0000-memory.dmp dcrat behavioral1/memory/1916-490-0x00000000003A0000-0x00000000004B0000-memory.dmp dcrat behavioral1/memory/1524-550-0x0000000000940000-0x0000000000A50000-memory.dmp dcrat behavioral1/memory/1952-610-0x0000000000D90000-0x0000000000EA0000-memory.dmp dcrat behavioral1/memory/2524-729-0x0000000000DF0000-0x0000000000F00000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1964 powershell.exe 1132 powershell.exe 1996 powershell.exe 1960 powershell.exe 1656 powershell.exe 2316 powershell.exe 2380 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2776 DllCommonsvc.exe 1752 conhost.exe 2564 conhost.exe 2224 conhost.exe 1184 conhost.exe 740 conhost.exe 2140 conhost.exe 2760 conhost.exe 1916 conhost.exe 1524 conhost.exe 1952 conhost.exe 2092 conhost.exe 2524 conhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2272 cmd.exe 2272 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 37 raw.githubusercontent.com 40 raw.githubusercontent.com 5 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 26 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\smss.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\DVD Maker\ja-JP\conhost.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\ja-JP\088424020bedd6 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3024 schtasks.exe 2536 schtasks.exe 1676 schtasks.exe 1068 schtasks.exe 2772 schtasks.exe 2512 schtasks.exe 2608 schtasks.exe 2224 schtasks.exe 2532 schtasks.exe 2492 schtasks.exe 2944 schtasks.exe 1844 schtasks.exe 2596 schtasks.exe 2692 schtasks.exe 2680 schtasks.exe 2412 schtasks.exe 1048 schtasks.exe 2032 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2776 DllCommonsvc.exe 2316 powershell.exe 1960 powershell.exe 1996 powershell.exe 1964 powershell.exe 1656 powershell.exe 1132 powershell.exe 2380 powershell.exe 1752 conhost.exe 2564 conhost.exe 2224 conhost.exe 1184 conhost.exe 740 conhost.exe 2140 conhost.exe 2760 conhost.exe 1916 conhost.exe 1524 conhost.exe 1952 conhost.exe 2092 conhost.exe 2524 conhost.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2776 DllCommonsvc.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 1752 conhost.exe Token: SeDebugPrivilege 2564 conhost.exe Token: SeDebugPrivilege 2224 conhost.exe Token: SeDebugPrivilege 1184 conhost.exe Token: SeDebugPrivilege 740 conhost.exe Token: SeDebugPrivilege 2140 conhost.exe Token: SeDebugPrivilege 2760 conhost.exe Token: SeDebugPrivilege 1916 conhost.exe Token: SeDebugPrivilege 1524 conhost.exe Token: SeDebugPrivilege 1952 conhost.exe Token: SeDebugPrivilege 2092 conhost.exe Token: SeDebugPrivilege 2524 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2292 wrote to memory of 1724 2292 JaffaCakes118_940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe 28 PID 2292 wrote to memory of 1724 2292 JaffaCakes118_940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe 28 PID 2292 wrote to memory of 1724 2292 JaffaCakes118_940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe 28 PID 2292 wrote to memory of 1724 2292 JaffaCakes118_940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe 28 PID 1724 wrote to memory of 2272 1724 WScript.exe 29 PID 1724 wrote to memory of 2272 1724 WScript.exe 29 PID 1724 wrote to memory of 2272 1724 WScript.exe 29 PID 1724 wrote to memory of 2272 1724 WScript.exe 29 PID 2272 wrote to memory of 2776 2272 cmd.exe 31 PID 2272 wrote to memory of 2776 2272 cmd.exe 31 PID 2272 wrote to memory of 2776 2272 cmd.exe 31 PID 2272 wrote to memory of 2776 2272 cmd.exe 31 PID 2776 wrote to memory of 1656 2776 DllCommonsvc.exe 51 PID 2776 wrote to memory of 1656 2776 DllCommonsvc.exe 51 PID 2776 wrote to memory of 1656 2776 DllCommonsvc.exe 51 PID 2776 wrote to memory of 2316 2776 DllCommonsvc.exe 52 PID 2776 wrote to memory of 2316 2776 DllCommonsvc.exe 52 PID 2776 wrote to memory of 2316 2776 DllCommonsvc.exe 52 PID 2776 wrote to memory of 2380 2776 DllCommonsvc.exe 53 PID 2776 wrote to memory of 2380 2776 DllCommonsvc.exe 53 PID 2776 wrote to memory of 2380 2776 DllCommonsvc.exe 53 PID 2776 wrote to memory of 1964 2776 DllCommonsvc.exe 56 PID 2776 wrote to memory of 1964 2776 DllCommonsvc.exe 56 PID 2776 wrote to memory of 1964 2776 DllCommonsvc.exe 56 PID 2776 wrote to memory of 1132 2776 DllCommonsvc.exe 57 PID 2776 wrote to memory of 1132 2776 DllCommonsvc.exe 57 PID 2776 wrote to memory of 1132 2776 DllCommonsvc.exe 57 PID 2776 wrote to memory of 1960 2776 DllCommonsvc.exe 58 PID 2776 wrote to memory of 1960 2776 DllCommonsvc.exe 58 PID 2776 wrote to memory of 1960 2776 DllCommonsvc.exe 58 PID 2776 wrote to memory of 1996 2776 DllCommonsvc.exe 59 PID 2776 wrote to memory of 1996 2776 DllCommonsvc.exe 59 PID 2776 wrote to memory of 1996 2776 DllCommonsvc.exe 59 PID 2776 wrote to memory of 1752 2776 DllCommonsvc.exe 65 PID 2776 wrote to memory of 1752 2776 DllCommonsvc.exe 65 PID 2776 wrote to memory of 1752 2776 DllCommonsvc.exe 65 PID 1752 wrote to memory of 1036 1752 conhost.exe 66 PID 1752 wrote to memory of 1036 1752 conhost.exe 66 PID 1752 wrote to memory of 1036 1752 conhost.exe 66 PID 1036 wrote to memory of 2684 1036 cmd.exe 68 PID 1036 wrote to memory of 2684 1036 cmd.exe 68 PID 1036 wrote to memory of 2684 1036 cmd.exe 68 PID 1036 wrote to memory of 2564 1036 cmd.exe 71 PID 1036 wrote to memory of 2564 1036 cmd.exe 71 PID 1036 wrote to memory of 2564 1036 cmd.exe 71 PID 2564 wrote to memory of 1748 2564 conhost.exe 72 PID 2564 wrote to memory of 1748 2564 conhost.exe 72 PID 2564 wrote to memory of 1748 2564 conhost.exe 72 PID 1748 wrote to memory of 836 1748 cmd.exe 74 PID 1748 wrote to memory of 836 1748 cmd.exe 74 PID 1748 wrote to memory of 836 1748 cmd.exe 74 PID 1748 wrote to memory of 2224 1748 cmd.exe 75 PID 1748 wrote to memory of 2224 1748 cmd.exe 75 PID 1748 wrote to memory of 2224 1748 cmd.exe 75 PID 2224 wrote to memory of 2012 2224 conhost.exe 76 PID 2224 wrote to memory of 2012 2224 conhost.exe 76 PID 2224 wrote to memory of 2012 2224 conhost.exe 76 PID 2012 wrote to memory of 2056 2012 cmd.exe 78 PID 2012 wrote to memory of 2056 2012 cmd.exe 78 PID 2012 wrote to memory of 2056 2012 cmd.exe 78 PID 2012 wrote to memory of 1184 2012 cmd.exe 79 PID 2012 wrote to memory of 1184 2012 cmd.exe 79 PID 2012 wrote to memory of 1184 2012 cmd.exe 79 PID 1184 wrote to memory of 2260 1184 conhost.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_940b667dd33fa29ad615493adee01f9dfc245a87f610ed7c637710741cf6d0e4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Program Files\DVD Maker\ja-JP\conhost.exe"C:\Program Files\DVD Maker\ja-JP\conhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2684
-
-
C:\Program Files\DVD Maker\ja-JP\conhost.exe"C:\Program Files\DVD Maker\ja-JP\conhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:836
-
-
C:\Program Files\DVD Maker\ja-JP\conhost.exe"C:\Program Files\DVD Maker\ja-JP\conhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2056
-
-
C:\Program Files\DVD Maker\ja-JP\conhost.exe"C:\Program Files\DVD Maker\ja-JP\conhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"12⤵PID:2260
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2968
-
-
C:\Program Files\DVD Maker\ja-JP\conhost.exe"C:\Program Files\DVD Maker\ja-JP\conhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat"14⤵PID:2344
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:848
-
-
C:\Program Files\DVD Maker\ja-JP\conhost.exe"C:\Program Files\DVD Maker\ja-JP\conhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat"16⤵PID:1764
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1732
-
-
C:\Program Files\DVD Maker\ja-JP\conhost.exe"C:\Program Files\DVD Maker\ja-JP\conhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat"18⤵PID:2432
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1672
-
-
C:\Program Files\DVD Maker\ja-JP\conhost.exe"C:\Program Files\DVD Maker\ja-JP\conhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"20⤵PID:1792
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1696
-
-
C:\Program Files\DVD Maker\ja-JP\conhost.exe"C:\Program Files\DVD Maker\ja-JP\conhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"22⤵PID:2188
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1912
-
-
C:\Program Files\DVD Maker\ja-JP\conhost.exe"C:\Program Files\DVD Maker\ja-JP\conhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat"24⤵PID:2108
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:564
-
-
C:\Program Files\DVD Maker\ja-JP\conhost.exe"C:\Program Files\DVD Maker\ja-JP\conhost.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"26⤵PID:2612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2872
-
-
C:\Program Files\DVD Maker\ja-JP\conhost.exe"C:\Program Files\DVD Maker\ja-JP\conhost.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\ja-JP\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\ja-JP\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51cd1930e9ac332faa10b941ac12541db
SHA148d0478f39cff5bf16b4c8942b2e9ce3eee18b5f
SHA25624a7e2af7d95bcc6cefce4bdfb6d762b179a12884968dcb7156b8f52a7645503
SHA5121fd80119e8eede4d71f7cf0d85529844e2d1a91e5b957a350f614f1e89fd46b31b148cd18763998b2c3978f19086f92a053b999b6c01bf1586b75b0e465aa662
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5164983fd8e3fb1aba89c37e10bb55f22
SHA14b597e0f02138f7b11eda4e18c73a25442788ca2
SHA256495211c4c3837ce63ca13046dbaabb386efc15166dea9c983be17e0519b3947b
SHA51283dbcf2ace052f39898d3a2d640a304625b764a6002ee4a5f131f0dfbb8b9effc7dcef1a4907df14a259d707391c7ecf369bb7f520636376c4723b3240e7d347
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56681abbff7b176bb70b70b362e7906f3
SHA1b2a3b2b3ceea1dc287fcedab8ac30be99f0be7e3
SHA256d19836449bad9404a916ecec3c62fa1c3d160a27e9956ba0d315ec9104b80f79
SHA512adbd01823241bf1dbbf078739f3123761d4d6a9c18aa350da9d32dbb2a8ba71b2fc5ff9b1677db6e2804c07961aabc3d593f0c5c9bcce339385be255a277cb20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aca11497da1fcc127a05a3e509c735a8
SHA17acb114a7ecacc1d6fa0edecc0f75b1f8eadeb50
SHA256804b302429cb8ff79424de52aab95957a28ae436518731a0933869f94751f3d7
SHA512c3308c1f97246758c6a2749757f4c7ce1bffa96703328ae92d7707fb8e1b0aca559a4499c62d05fdd7bdd7b7a18ba127aec6dd956b4b8621e3effcdc31ae7616
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f93bb0d5799297b4459bad7f55f6d81c
SHA1cd482ba78569fd2c4ff4b75dfc7b0d1cb0f7ccbc
SHA2566f25bb4ab1e7ef4c2b4add70fb99c4782a5cbc80aaa0d1b36ebfb218a3b16dfb
SHA512518edd02d63290bbd1787ce97ab6f1f55b37f2830ad218f326cbfb9fca820448d214aacb9ecbe77938a41d9e9f2348ad34caed22eae70ec9baedab53c8d04821
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56369564984d82eaa9b24c8c040457779
SHA184ace22dfa30124e23b83c8888ef2e1c23ca23f7
SHA256e292005463c37ac281197e4a06faad0d8ff23cbaf78b6eb1954383546dd8fb4f
SHA5124ae1de406b1ebf28b6ac57081a9f2bc03c5eb1160360ebdc84a8218fe869d249c1cf87b482bce51894e36fc0e967adbd1028899a7c435e82b4301e58a8277799
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD577cd6a72f40b7e3be6d24c1b49f50217
SHA1ab081a80312c62f9915b616769d2a685f2d11cff
SHA256410c647510afd116b8b2253b8e188dab740ba6f3270d6f76a9825fc0f5c2b5c1
SHA512590914ac166b5898e771230a60ac0096c668329edc537bba5a66cd96e08c7acee172a22dd9780f1e7c61d6a2eb4f27ad8de85ea58d34608456fe07d470134ddd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5020cc13d98c1baddd0d5a7f410aeb25f
SHA1fab612fb57a8b0c375f1572e3e7d5e284c0255dc
SHA256326d2501362055894c040da507187877b97a11788705aa08496a4d843898dbf6
SHA512b083dbea18947e85168e31e5c59bf2d0d1fa29b3aadfba1dccab0fbb92d0b8a4e4e8833f35e2ba4de411356f24cf58fab60a76da662d8e97c6ee36b144e428d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54f006ceaf51aaf5ae4f7eeb4890f67b6
SHA1ed01e2ce2f2ca5eefff9484c73965ff85069f026
SHA2569fbd4c6d88fd20c185590e2c2f95c82cd4903006fcbf16842e5f71bc8716a0a7
SHA5122c99e053108fd7ea6da4e64cf724e45789a8ac42afa88dd0e08ef4ff2ed08a1a5254acccbcdfc002bff065f107248de953e9915627d203413a1b1b4cedcc0d56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD573200203303dc2ee2578af6527d10829
SHA1c7ffd0d99c0b3fed5a3ebf7c8297ea221974b7a1
SHA256be729b40614fb51869349959e8ce45619fa7b81e9571e7e4b041510c70c419c2
SHA51288ef006dfdcee8fe9e097c5bef391b23b16268a1f92d07e6ba729a35746b535a1c24671045e956b29d54d2a615d3ac1c98b14255883c61a7ae6d390204ca1e13
-
Filesize
209B
MD5352923b89246c76c8c23e068921917f0
SHA17d6228013a446b788b177ef1c681a2b9a3c781dc
SHA2564508ac6421d0cddcf9d1fe67167175354d1cb6a5dc64f64c069c59195bc9ae62
SHA5126c613e86d62c5c295b5bce6f8c45ea26b111d0cb4af7c1b9a275214ab4dd02bf9163786850b73ebb69874ccb10d4a62ed8137898fb4c18c1bb2fc9df67270544
-
Filesize
209B
MD54c6757a6eb7907e78d37a0e2996cba4c
SHA1b8fac5541b57893e4f2aa498ea722a3bfe4e4cbf
SHA2561cc1f6fee0b9a01aefae4d68e8f24af94fff33fb817797218cef21a755dc3a47
SHA51279c67604ac41d0239286a2d99a3a3cf787656115981a95badc707940491a9aeadd8784b5fefbac9512d4568ab105396f1f4c136adefca9e10d85babdda90571b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
209B
MD57553509948c97eef2a8c8b6d41e7f906
SHA156935b4f3c7a81e134dec64a191ead5cdc79f6dc
SHA256b820e00ffbbdf23745b892efcd33d348ad0637c881e0798cfe1304a0ae4ac130
SHA512f2d5326f7473dd807979d54997defa66099786466d67743cecf37a82e39b1f2e293fe1a5e891bd955447f001d2efc71a70c4941c8b6816ad1e53349d8bceea6c
-
Filesize
209B
MD55d98c6fd3df993b4c646b10289c2949d
SHA1d202a2697c2b8a9a997b154e5e8d358bd59fbfd9
SHA256c485c9d01cabef64466efba00ba9a675a3003af005a62588e36b3427727f1c4f
SHA5125d4543fe6146dbefe072de31e60a1598843836cfcbd92af17b749a50ecd470c00f56e8932d5dfe060f602992bf3d2b219db02087b1f455a00df04f51b563e4bd
-
Filesize
209B
MD5ee6182e24099af002fac216be9ed52e1
SHA17a0c51226fb80374e161ceb5d83d0679e0a41d8c
SHA2567857c562f25b4ca3068894b335f6e932c9a1a83187b39e656c60cbc5acbd2fbb
SHA51230e6e687ae7d6c46a9c111383f72140ec78767993f116965a5c54749d53bf71c22a5959e6ce73659aef51c41c71de48dbcb234323e50a4cae4f43381ab23985f
-
Filesize
209B
MD5e5f706b0483f32764795d90ff083897a
SHA13d145b2509a32cbe6a0948298c264aa88be48005
SHA25676719b14d148d658380280ea83d3dc380169805d906a48109fa109126d81f996
SHA512519a7991beee54c170a1f0de0b04751bb5cc7d1e6f61992c34c9b4a5961239ea4a9a06a23d957c21c899ee0b85e57ca82519f89c0c10e0157ab5e073bd1d7f51
-
Filesize
209B
MD53e409b2c6c7985fb1df7c7ff6d9c39ed
SHA1ba519f79732ce77b9bdef4a457b02093e29b60f5
SHA2567aede48e0eb89ca1b5192591e0b9007ed95cd631ba8ece2c54934eb15bdb0b59
SHA51205e5f92c27d684d31854883bff5bef2d2c25a98d35fcfb67061f7fe3b72b5effe05f9a5e54c750eebc48ff330ae6cf88548495b3e7b4b22a7f154c80523d44f9
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
209B
MD5fb386ea572466dba08170c3868071a49
SHA1fc98e99fdda9955c66946d7f3197ec692e703cf9
SHA2566ac4b73e7ad0f70f4801de0d01fd754d9598c1e1658cef750518f581b7884a3b
SHA51255b6d4ed2f8afa5827ed85dc3e957157ee07d037bde5166333f24432cabdc0918927ccca2ff57ee0e235dd7734eb42c03895e7b2c0247e1578842adaaa258186
-
Filesize
209B
MD561cb1c2e475cc8edfc19532d390d9fca
SHA1b1b8c1665ed0facdeca14b3f46d57a8f216de219
SHA256de319501035b612ef07b897a9fd3708f7d0ddc7523f5b5fde612f5e2fbb0037d
SHA512b30b03bf70a877204fed81aed5fdf227ccaed41e0e9bbe0dbf6df81f80ba2087a72276efd5e3d8b713088a9b9ac135fe697e1c3bc0fb7c50be08e3f74ba4c342
-
Filesize
209B
MD58956f125aa01830e88d23f9e193c8c48
SHA1115dcbe3e4de55597f1e8a10dc9430b54851afaa
SHA2567354c3424f5838a392d59401f413ee2529719062538db14e3fd2ad3b77aaed8a
SHA5125cd55e4bdb6d75a81e6ac2ecb6dc639095ba487dd3415c2dd3559d5da149c2de617862febee31c0b89fc867d0da9386d96a390a240e58a41f1ab59b829bb5f23
-
Filesize
209B
MD57faef510b2bab39080cd9f630c991b06
SHA1344e3de7a8c9b2174c6baf50ba5fe422bcd9a46f
SHA256a6032bcd851fcc58b6b1dfd4f2e9fd77917a808e68cd6920c6c02cf7564ada0d
SHA512f7d6c7195b75b4aaa0e14bf2a5793acaa877ba91a3749fa2c85a68b48d4b8fbd528b075003ada770be1a4bdab0089af78dc36523d0ff6f15842f8186661bb7c2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fa484d38efd1c0db95122c126abacc0b
SHA11e69abddb2753907363d9ba03411bab306f6ffad
SHA2564fb400d9096c86c49db2c51bcf5efcf258747ea2459733e1fc7172b27578b599
SHA5123b95e320ca6cf3011d7732f20c09bf564b6623fcdb617941f4ec1d78cc588759d504f9d21cc5f2d74518d1b904db995973a01bd53c0cf684c2d7ccc952cb3895
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394