Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:50
Behavioral task
behavioral1
Sample
JaffaCakes118_cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24.exe
-
Size
1.3MB
-
MD5
e612b8edfd6f0747bc2c37257c7a31c9
-
SHA1
2b6284e7202c6c288ee3e8242761ad27532cda92
-
SHA256
cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24
-
SHA512
f19a2ff333be0c2167898dd87a54fc345bda97ca8b72c780130ef87b145617a6256158382f0e93c7d132a328522c6f30b5595375749fb99919b0350a5b31c3e3
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2760 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2760 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000018bf3-9.dat dcrat behavioral1/memory/2952-13-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat behavioral1/memory/448-43-0x0000000001090000-0x00000000011A0000-memory.dmp dcrat behavioral1/memory/1324-138-0x0000000001240000-0x0000000001350000-memory.dmp dcrat behavioral1/memory/1760-258-0x0000000001260000-0x0000000001370000-memory.dmp dcrat behavioral1/memory/1504-436-0x0000000000240000-0x0000000000350000-memory.dmp dcrat behavioral1/memory/2752-496-0x0000000001370000-0x0000000001480000-memory.dmp dcrat behavioral1/memory/2396-674-0x00000000001E0000-0x00000000002F0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2748 powershell.exe 2896 powershell.exe 2820 powershell.exe 2736 powershell.exe 2620 powershell.exe 1936 powershell.exe 2928 powershell.exe 1760 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2952 DllCommonsvc.exe 448 smss.exe 1324 smss.exe 788 smss.exe 1760 smss.exe 2728 smss.exe 1596 smss.exe 1504 smss.exe 2752 smss.exe 2212 smss.exe 1608 smss.exe 2396 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2136 cmd.exe 2136 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 17 raw.githubusercontent.com 27 raw.githubusercontent.com 36 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 13 raw.githubusercontent.com 20 raw.githubusercontent.com 24 raw.githubusercontent.com 30 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows Defender\es-ES\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Windows Defender\es-ES\cmd.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1048 schtasks.exe 1676 schtasks.exe 2744 schtasks.exe 2600 schtasks.exe 2560 schtasks.exe 2044 schtasks.exe 1092 schtasks.exe 2876 schtasks.exe 2632 schtasks.exe 1940 schtasks.exe 316 schtasks.exe 1796 schtasks.exe 2868 schtasks.exe 2216 schtasks.exe 2732 schtasks.exe 2032 schtasks.exe 2516 schtasks.exe 2604 schtasks.exe 1964 schtasks.exe 1056 schtasks.exe 1144 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2952 DllCommonsvc.exe 2820 powershell.exe 2896 powershell.exe 2736 powershell.exe 1760 powershell.exe 1936 powershell.exe 2748 powershell.exe 2928 powershell.exe 2620 powershell.exe 448 smss.exe 1324 smss.exe 788 smss.exe 1760 smss.exe 2728 smss.exe 1596 smss.exe 1504 smss.exe 2752 smss.exe 2212 smss.exe 1608 smss.exe 2396 smss.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2952 DllCommonsvc.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 448 smss.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 1324 smss.exe Token: SeDebugPrivilege 788 smss.exe Token: SeDebugPrivilege 1760 smss.exe Token: SeDebugPrivilege 2728 smss.exe Token: SeDebugPrivilege 1596 smss.exe Token: SeDebugPrivilege 1504 smss.exe Token: SeDebugPrivilege 2752 smss.exe Token: SeDebugPrivilege 2212 smss.exe Token: SeDebugPrivilege 1608 smss.exe Token: SeDebugPrivilege 2396 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2088 1924 JaffaCakes118_cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24.exe 30 PID 1924 wrote to memory of 2088 1924 JaffaCakes118_cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24.exe 30 PID 1924 wrote to memory of 2088 1924 JaffaCakes118_cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24.exe 30 PID 1924 wrote to memory of 2088 1924 JaffaCakes118_cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24.exe 30 PID 2088 wrote to memory of 2136 2088 WScript.exe 32 PID 2088 wrote to memory of 2136 2088 WScript.exe 32 PID 2088 wrote to memory of 2136 2088 WScript.exe 32 PID 2088 wrote to memory of 2136 2088 WScript.exe 32 PID 2136 wrote to memory of 2952 2136 cmd.exe 34 PID 2136 wrote to memory of 2952 2136 cmd.exe 34 PID 2136 wrote to memory of 2952 2136 cmd.exe 34 PID 2136 wrote to memory of 2952 2136 cmd.exe 34 PID 2952 wrote to memory of 1760 2952 DllCommonsvc.exe 57 PID 2952 wrote to memory of 1760 2952 DllCommonsvc.exe 57 PID 2952 wrote to memory of 1760 2952 DllCommonsvc.exe 57 PID 2952 wrote to memory of 2748 2952 DllCommonsvc.exe 58 PID 2952 wrote to memory of 2748 2952 DllCommonsvc.exe 58 PID 2952 wrote to memory of 2748 2952 DllCommonsvc.exe 58 PID 2952 wrote to memory of 2896 2952 DllCommonsvc.exe 59 PID 2952 wrote to memory of 2896 2952 DllCommonsvc.exe 59 PID 2952 wrote to memory of 2896 2952 DllCommonsvc.exe 59 PID 2952 wrote to memory of 2820 2952 DllCommonsvc.exe 60 PID 2952 wrote to memory of 2820 2952 DllCommonsvc.exe 60 PID 2952 wrote to memory of 2820 2952 DllCommonsvc.exe 60 PID 2952 wrote to memory of 2736 2952 DllCommonsvc.exe 61 PID 2952 wrote to memory of 2736 2952 DllCommonsvc.exe 61 PID 2952 wrote to memory of 2736 2952 DllCommonsvc.exe 61 PID 2952 wrote to memory of 2620 2952 DllCommonsvc.exe 62 PID 2952 wrote to memory of 2620 2952 DllCommonsvc.exe 62 PID 2952 wrote to memory of 2620 2952 DllCommonsvc.exe 62 PID 2952 wrote to memory of 1936 2952 DllCommonsvc.exe 63 PID 2952 wrote to memory of 1936 2952 DllCommonsvc.exe 63 PID 2952 wrote to memory of 1936 2952 DllCommonsvc.exe 63 PID 2952 wrote to memory of 2928 2952 DllCommonsvc.exe 64 PID 2952 wrote to memory of 2928 2952 DllCommonsvc.exe 64 PID 2952 wrote to memory of 2928 2952 DllCommonsvc.exe 64 PID 2952 wrote to memory of 448 2952 DllCommonsvc.exe 73 PID 2952 wrote to memory of 448 2952 DllCommonsvc.exe 73 PID 2952 wrote to memory of 448 2952 DllCommonsvc.exe 73 PID 448 wrote to memory of 3048 448 smss.exe 74 PID 448 wrote to memory of 3048 448 smss.exe 74 PID 448 wrote to memory of 3048 448 smss.exe 74 PID 3048 wrote to memory of 1664 3048 cmd.exe 76 PID 3048 wrote to memory of 1664 3048 cmd.exe 76 PID 3048 wrote to memory of 1664 3048 cmd.exe 76 PID 3048 wrote to memory of 1324 3048 cmd.exe 77 PID 3048 wrote to memory of 1324 3048 cmd.exe 77 PID 3048 wrote to memory of 1324 3048 cmd.exe 77 PID 1324 wrote to memory of 2408 1324 smss.exe 78 PID 1324 wrote to memory of 2408 1324 smss.exe 78 PID 1324 wrote to memory of 2408 1324 smss.exe 78 PID 2408 wrote to memory of 2820 2408 cmd.exe 80 PID 2408 wrote to memory of 2820 2408 cmd.exe 80 PID 2408 wrote to memory of 2820 2408 cmd.exe 80 PID 2408 wrote to memory of 788 2408 cmd.exe 81 PID 2408 wrote to memory of 788 2408 cmd.exe 81 PID 2408 wrote to memory of 788 2408 cmd.exe 81 PID 788 wrote to memory of 2928 788 smss.exe 82 PID 788 wrote to memory of 2928 788 smss.exe 82 PID 788 wrote to memory of 2928 788 smss.exe 82 PID 2928 wrote to memory of 2176 2928 cmd.exe 84 PID 2928 wrote to memory of 2176 2928 cmd.exe 84 PID 2928 wrote to memory of 2176 2928 cmd.exe 84 PID 2928 wrote to memory of 1760 2928 cmd.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Users\Default\smss.exe"C:\Users\Default\smss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1664
-
-
C:\Users\Default\smss.exe"C:\Users\Default\smss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2820
-
-
C:\Users\Default\smss.exe"C:\Users\Default\smss.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2176
-
-
C:\Users\Default\smss.exe"C:\Users\Default\smss.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"12⤵PID:2476
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2640
-
-
C:\Users\Default\smss.exe"C:\Users\Default\smss.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"14⤵PID:600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2828
-
-
C:\Users\Default\smss.exe"C:\Users\Default\smss.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"16⤵PID:1644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1668
-
-
C:\Users\Default\smss.exe"C:\Users\Default\smss.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"18⤵PID:872
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2892
-
-
C:\Users\Default\smss.exe"C:\Users\Default\smss.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat"20⤵PID:2300
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:268
-
-
C:\Users\Default\smss.exe"C:\Users\Default\smss.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"22⤵PID:912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:984
-
-
C:\Users\Default\smss.exe"C:\Users\Default\smss.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat"24⤵PID:2616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2096
-
-
C:\Users\Default\smss.exe"C:\Users\Default\smss.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc6b80a8cf1031a490715737f55d2156
SHA1403ea6314710ffa962ccb1fb93c4c595a5a550d4
SHA256600b607797fc89256107c38948ba1a39bcda588783ec4458a8781627e4f2b37f
SHA5123bf529cd2eb17142a4c160d50521537e2b701e73923b0ffb385cb34cc04fe8e5750a240a63c65e086fe1b300d5e77f619cf9e41ee6587c96c9fd9a1c31832aac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fb975b05153fa9d50c506892dd57fec3
SHA1bac9647d331db68ddeb0d2de04c9951a01e9207f
SHA25650e20802df30b8f9004a797e819f01338e643bb413f1d5c19463aa6c16486810
SHA5126da069f5b96a0f3acd73948b55378a63b01e1c8f3edf3c90eecd1d60da23f73cebb13ab82dce79e06579ec53cab3f2ab7adbc74783e2d2c8f66d5104acec6451
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52a57d70c58952f22158e614445dfa901
SHA1c277fec1e0a0d9a6418078b672bb21276b0bd076
SHA256ebbcd7b9604143ff1420e593888407e4a5e0666c7f8ed5629f52389280797a41
SHA512f73a91d28b3e361f46562ecd5996beaa19474ac3b0f02a89f6bd0cd0164f2779124b9cbf36f114c5974099a4c193d50dcc18993b43351267d8e9f53e4bbe7279
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df4452bba29f3c5aa47cb1e9dd3e9a16
SHA18403f42174dac2c98c317f63cb9007b24709731e
SHA256eaa12e8ef3dae76fb612a129069fe4be0f854cf3c4b64069da50ab32c6396806
SHA512f9343b08aaf1a2559f6ed825a96222bde22c92194b76db86f0d552afa1e8342c227f7fd9bcb3115145e68f9169faba886ebcd918b0a246950f8ccddc48ad170c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5645314f99b7b19ad802ca53559b1d421
SHA13bd7e261789628dbdbd3c1fa65f10b631186ced3
SHA256348aa5780a54362ef7b0ca7dc6f9a2acd0cd843d9036540dd1266588755c030a
SHA512a3a5b5365050cdf72264b0ee05bcc2e90d0fd8970ce7d6d0d9e4898e059232c8688ad698200bbe3b365ccd541770c58f706d8f0c8c633f686ebd09f0a8ed54e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f78ead3ba55f2eabe253d18b913f52a9
SHA1cf3e133c8a9b98a84c0f7d927a52bb2a02d08a39
SHA25629fa6250f683d1668b94d9d6e65f3883cba86c9bb1509102221e9b1c76415f03
SHA51221d1d9b7f53e4df96aa7aff20ad70a1188667b7e91cb74fa452d560b9d4d542ad0df019dcf4859653b6a859fe08d2bc7ad26d39658d509e49ca9a7fe7c14cc9f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD578139e91335e0ffc00ad17a0599feb2b
SHA1710dc688caf8c83f162a1c3f74d094cfe142fae4
SHA256a2f236c82e802242174258cb954cc497612221e0d582dca6b58209fb9e829a96
SHA512e9923a73d81293a94bf34b049794370d4312f20357027be32645ea50bbc54883ab6359901de5289a756c6170ffeb90bbabe0672895e1da40fd9bd7f25e940c14
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ab412a6755ce255e774ff897349c946e
SHA1180b1292e659c80a9683f4e66088a58b387cd6f7
SHA256f52dbd0b11fa01be9e28067529805c7d8fcefee915cd2f0d442f42840572a674
SHA512d4236a2eb797724f3634019ffaa6457a7f303dd2d75e5f5bce005e162cad7a0b2d7ac20f4292e6760f1af81b8517fde9171004da548a019c01834bd29741f585
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cf4081ed36bdc88ab1cde59907428e76
SHA1c3f924d6d307d022c6bdbf0037b09cc86633a03b
SHA256917c524d5f5077b5fd460c2dee8defd97237ee8778f37d58bbd039df49caf29f
SHA51257b872a883664d2e706eaad495d82ad97d6b23a8f7164e933e70523e6f25228a34436c36344e397e422d9c5a4277265d61ea2059a31118d16ce3dabeb3dc325e
-
Filesize
190B
MD5a502f811e9c4207ac27ad36acffba64c
SHA19c502a394f626ec7f22d896520d66a10c92a2c5e
SHA2564ddec2252033c970fdb71e63c06e1fad7aa123068d477993df565f869204f8a2
SHA512fff557b87e3b7fe4dbbdc06c8cea7ecd71b4f022a375f82864ff0a5d5e978c328c9cb44a03425c18668ee20a461a7537b2c8e858441aa313c67cf2dc90ab3248
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
190B
MD562dc16ee42ea768c90df17dbeefa205d
SHA106e4128c301f03d308faee2295d18f7bb1c4ad6f
SHA25662d3b3f1f81b36eb8d8b3ee65c00e331ba8dac187f1a9c7cf098524c9cf6a056
SHA5124ce2eae77558ef4e883e319ed0c2d830877129fdf64e0df123c9d291837d7afec70f83ee60a3f73ece447b1f65d8aedb61d6aac47c87162705b564bb851c5ac2
-
Filesize
190B
MD50c1d870a7a4eaf3d21b832d0776ae4df
SHA1b5606f09a40136d4ef9d6ce291698ba1b57983cd
SHA256e7c8a1d280b9a54dc9315ac228461218ad8b5f5d68b4fa3ce20c83d591c897f0
SHA512c850030c18654ab0e21751799bcde6291fe3526f41aa72bb0c345f4aa2cb6ce8d64e773c51d58139fe984a8c7f4ff00e40975318dffa85596cc95a2f560b4032
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
190B
MD5f32b2689a8d1515537e9698eaa66a456
SHA1f65d481993a13d3edad3d7839833b0b831755e33
SHA256bd5159848053570527bb42462cdbc055e2a5f4b626adbb24164f896570747743
SHA512c116de9b2903dca6930f1865316dfbe34ef96d724e414c0b81b937630627be765010044d66ce911269e72138d70f89c9e2a62e99ebc2a74ade3eae54d6e822f2
-
Filesize
190B
MD58ae3eefd6e28ca18b10d63ebd8dd285c
SHA13b842e32dcd3fc7be0d37b3a99d24389c058469b
SHA2563dbd8407a8c037b8f8053b30f054a86203915f3e21ca74c6f6f1d011271219c0
SHA5126dcc57f1242e6225d458fd0c85adc9bcba39b8ccc9e610f009872e727f1c9e637d7d7cc66b25ec3ca8d0449debad8e15a4a0f57993f9ccaaafc33fe73f2b4154
-
Filesize
190B
MD59455e9e7633cc576e159ee248f13463c
SHA1d4c644c62ceccab195a3d97485c174d8bcafac4b
SHA25661db138cc3cf8a581a1d1b1f8ae69713ad145882ee48f5b980014c9859bdccf9
SHA5124184eadbcd7e4bdfca3058fba41097bf0eebf3ca149fbbe51c9d7db5d2dae790a8ffd5451cbc0a596839c0a2020f69e3a4e13d4c2b2f344e12108a4ab4848094
-
Filesize
190B
MD5e902853ebe3f38058fda741642058801
SHA197e5e889d87d556d1201c23962286c72dfb5406f
SHA25652b883ddf2e4f5d8b986f3e71ea97a6b7feaea58f018a8ecb9859002292449ff
SHA512d8874aa1e93316a840a5a6f49d54e3c1e17725e3aa916726033d72d60c234a4910520d8a08e8ff8989d089609df548e228b101767f0ff53dd620db3b5ed4e266
-
Filesize
190B
MD56477089a9bd8e033c16502bfce7bfb6f
SHA12f5ff18a41c846bf5fd12335813854d58337de9b
SHA256aead4cfc2e765dd49227857bc72c1b5da075bc6e58d3247e1536aa4e95ed97db
SHA512dc05c2673d57d6b0ddb7ec1c1d3e21736b96b69a61726e40a2e96981b8a65aa9b4bccad8652a6b2ff70931ee05740e7898d79fb18b3f93e9c8f17375850e00e7
-
Filesize
190B
MD5e2ba803b5b81d549d1ec7ecef5304bb6
SHA10d649c0b70ba5fb3161ad7e8cc3767dde7cc8a15
SHA256dbc393ca8f0cd931b14824186c20215d35dd090c522fb40180656274775be1bf
SHA5121331a23401b96a42c3125c353270df1ce1818b035c829a9795d673a8afd04307e4639e5fe7e56401e288f6189ca702db29e8cae787e6e46dae67bd7d0acefdd7
-
Filesize
190B
MD557274bb74297777f79c0c60b8d010a8c
SHA19c9855c1630944caa38d9367e7b34c9af4e8da51
SHA256979994a209807f2548c6d95e5fc0882b39e004627aa9f2dfff491d170cc583b2
SHA5122e6f89aca3f77a70b5162a2ab99c3836b254d6cded2154913935892ed29eb56694cb95630a47780ed20491cb53ca2aa01f209077f0894a1908b9ecd6e0298134
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f69434e9ad5275b4f2e88f530439d60c
SHA1a54fa7e2e5763f53bddd4b306c73356167034dbe
SHA2561bde099f6a99a5f5c489898b8ea04119017741389fa4b843cd1c57120550a7bd
SHA512dbbbc0bf921cad4c5df4b5b100ab6f469e3f144dab469fc10c25e24d90ac49c416c18aba00161fee80d39f2a5dd4e34bc3673395592eca43c47ab96a5f4b4658
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394