Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:59
Behavioral task
behavioral1
Sample
JaffaCakes118_639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041.exe
-
Size
1.3MB
-
MD5
f6c59a68cd83fc2707dbd04b33395149
-
SHA1
54c4b461747a56b4cb94fb1bd7e68f5b25b9c387
-
SHA256
639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041
-
SHA512
2743f7c5cb515bfa3e4b1c62717930b4fb33a51b77a1d59662fb94145732adda7f39f9124fb00e61ed5c73fcc91a5f0bd71a7b5b336fcdad9e70c4eb2f224702
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2916 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00070000000186fd-12.dat dcrat behavioral1/memory/2484-13-0x00000000011C0000-0x00000000012D0000-memory.dmp dcrat behavioral1/memory/2012-80-0x0000000000F30000-0x0000000001040000-memory.dmp dcrat behavioral1/memory/2472-140-0x0000000001340000-0x0000000001450000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1940 powershell.exe 2716 powershell.exe 2372 powershell.exe 1880 powershell.exe 2520 powershell.exe 2172 powershell.exe 2268 powershell.exe 2068 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2484 DllCommonsvc.exe 2012 explorer.exe 2472 explorer.exe 1604 explorer.exe 1880 explorer.exe 2296 explorer.exe 2508 explorer.exe 1136 explorer.exe 2896 explorer.exe 1612 explorer.exe 1088 explorer.exe 1668 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 1748 cmd.exe 1748 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 22 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 36 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 25 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2832 schtasks.exe 2132 schtasks.exe 2984 schtasks.exe 2616 schtasks.exe 2036 schtasks.exe 2004 schtasks.exe 2664 schtasks.exe 2848 schtasks.exe 1436 schtasks.exe 2028 schtasks.exe 1108 schtasks.exe 2824 schtasks.exe 1864 schtasks.exe 2888 schtasks.exe 2696 schtasks.exe 2324 schtasks.exe 2404 schtasks.exe 2804 schtasks.exe 1028 schtasks.exe 2992 schtasks.exe 2836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2484 DllCommonsvc.exe 2484 DllCommonsvc.exe 2484 DllCommonsvc.exe 2172 powershell.exe 2068 powershell.exe 1880 powershell.exe 2716 powershell.exe 2520 powershell.exe 2372 powershell.exe 2268 powershell.exe 1940 powershell.exe 2012 explorer.exe 2472 explorer.exe 1604 explorer.exe 1880 explorer.exe 2296 explorer.exe 2508 explorer.exe 1136 explorer.exe 2896 explorer.exe 1612 explorer.exe 1088 explorer.exe 1668 explorer.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2484 DllCommonsvc.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 2012 explorer.exe Token: SeDebugPrivilege 2472 explorer.exe Token: SeDebugPrivilege 1604 explorer.exe Token: SeDebugPrivilege 1880 explorer.exe Token: SeDebugPrivilege 2296 explorer.exe Token: SeDebugPrivilege 2508 explorer.exe Token: SeDebugPrivilege 1136 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 1612 explorer.exe Token: SeDebugPrivilege 1088 explorer.exe Token: SeDebugPrivilege 1668 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2320 2236 JaffaCakes118_639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041.exe 30 PID 2236 wrote to memory of 2320 2236 JaffaCakes118_639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041.exe 30 PID 2236 wrote to memory of 2320 2236 JaffaCakes118_639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041.exe 30 PID 2236 wrote to memory of 2320 2236 JaffaCakes118_639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041.exe 30 PID 2320 wrote to memory of 1748 2320 WScript.exe 31 PID 2320 wrote to memory of 1748 2320 WScript.exe 31 PID 2320 wrote to memory of 1748 2320 WScript.exe 31 PID 2320 wrote to memory of 1748 2320 WScript.exe 31 PID 1748 wrote to memory of 2484 1748 cmd.exe 33 PID 1748 wrote to memory of 2484 1748 cmd.exe 33 PID 1748 wrote to memory of 2484 1748 cmd.exe 33 PID 1748 wrote to memory of 2484 1748 cmd.exe 33 PID 2484 wrote to memory of 1880 2484 DllCommonsvc.exe 57 PID 2484 wrote to memory of 1880 2484 DllCommonsvc.exe 57 PID 2484 wrote to memory of 1880 2484 DllCommonsvc.exe 57 PID 2484 wrote to memory of 2520 2484 DllCommonsvc.exe 58 PID 2484 wrote to memory of 2520 2484 DllCommonsvc.exe 58 PID 2484 wrote to memory of 2520 2484 DllCommonsvc.exe 58 PID 2484 wrote to memory of 2172 2484 DllCommonsvc.exe 59 PID 2484 wrote to memory of 2172 2484 DllCommonsvc.exe 59 PID 2484 wrote to memory of 2172 2484 DllCommonsvc.exe 59 PID 2484 wrote to memory of 2268 2484 DllCommonsvc.exe 60 PID 2484 wrote to memory of 2268 2484 DllCommonsvc.exe 60 PID 2484 wrote to memory of 2268 2484 DllCommonsvc.exe 60 PID 2484 wrote to memory of 2068 2484 DllCommonsvc.exe 61 PID 2484 wrote to memory of 2068 2484 DllCommonsvc.exe 61 PID 2484 wrote to memory of 2068 2484 DllCommonsvc.exe 61 PID 2484 wrote to memory of 1940 2484 DllCommonsvc.exe 62 PID 2484 wrote to memory of 1940 2484 DllCommonsvc.exe 62 PID 2484 wrote to memory of 1940 2484 DllCommonsvc.exe 62 PID 2484 wrote to memory of 2716 2484 DllCommonsvc.exe 63 PID 2484 wrote to memory of 2716 2484 DllCommonsvc.exe 63 PID 2484 wrote to memory of 2716 2484 DllCommonsvc.exe 63 PID 2484 wrote to memory of 2372 2484 DllCommonsvc.exe 64 PID 2484 wrote to memory of 2372 2484 DllCommonsvc.exe 64 PID 2484 wrote to memory of 2372 2484 DllCommonsvc.exe 64 PID 2484 wrote to memory of 836 2484 DllCommonsvc.exe 73 PID 2484 wrote to memory of 836 2484 DllCommonsvc.exe 73 PID 2484 wrote to memory of 836 2484 DllCommonsvc.exe 73 PID 836 wrote to memory of 772 836 cmd.exe 75 PID 836 wrote to memory of 772 836 cmd.exe 75 PID 836 wrote to memory of 772 836 cmd.exe 75 PID 836 wrote to memory of 2012 836 cmd.exe 76 PID 836 wrote to memory of 2012 836 cmd.exe 76 PID 836 wrote to memory of 2012 836 cmd.exe 76 PID 2012 wrote to memory of 1808 2012 explorer.exe 77 PID 2012 wrote to memory of 1808 2012 explorer.exe 77 PID 2012 wrote to memory of 1808 2012 explorer.exe 77 PID 1808 wrote to memory of 2016 1808 cmd.exe 79 PID 1808 wrote to memory of 2016 1808 cmd.exe 79 PID 1808 wrote to memory of 2016 1808 cmd.exe 79 PID 1808 wrote to memory of 2472 1808 cmd.exe 80 PID 1808 wrote to memory of 2472 1808 cmd.exe 80 PID 1808 wrote to memory of 2472 1808 cmd.exe 80 PID 2472 wrote to memory of 1748 2472 explorer.exe 81 PID 2472 wrote to memory of 1748 2472 explorer.exe 81 PID 2472 wrote to memory of 1748 2472 explorer.exe 81 PID 1748 wrote to memory of 2708 1748 cmd.exe 83 PID 1748 wrote to memory of 2708 1748 cmd.exe 83 PID 1748 wrote to memory of 2708 1748 cmd.exe 83 PID 1748 wrote to memory of 1604 1748 cmd.exe 84 PID 1748 wrote to memory of 1604 1748 cmd.exe 84 PID 1748 wrote to memory of 1604 1748 cmd.exe 84 PID 1604 wrote to memory of 2164 1604 explorer.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Tr1H9JjvN.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:772
-
-
C:\Users\All Users\Application Data\explorer.exe"C:\Users\All Users\Application Data\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2016
-
-
C:\Users\All Users\Application Data\explorer.exe"C:\Users\All Users\Application Data\explorer.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2708
-
-
C:\Users\All Users\Application Data\explorer.exe"C:\Users\All Users\Application Data\explorer.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"11⤵PID:2164
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:956
-
-
C:\Users\All Users\Application Data\explorer.exe"C:\Users\All Users\Application Data\explorer.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"13⤵PID:264
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2924
-
-
C:\Users\All Users\Application Data\explorer.exe"C:\Users\All Users\Application Data\explorer.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"15⤵PID:2132
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1108
-
-
C:\Users\All Users\Application Data\explorer.exe"C:\Users\All Users\Application Data\explorer.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"17⤵PID:1184
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1960
-
-
C:\Users\All Users\Application Data\explorer.exe"C:\Users\All Users\Application Data\explorer.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat"19⤵PID:2956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:772
-
-
C:\Users\All Users\Application Data\explorer.exe"C:\Users\All Users\Application Data\explorer.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"21⤵PID:2844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2072
-
-
C:\Users\All Users\Application Data\explorer.exe"C:\Users\All Users\Application Data\explorer.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"23⤵PID:2188
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:276
-
-
C:\Users\All Users\Application Data\explorer.exe"C:\Users\All Users\Application Data\explorer.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"25⤵PID:1348
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1464
-
-
C:\Users\All Users\Application Data\explorer.exe"C:\Users\All Users\Application Data\explorer.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56f91fb3a71a3b720407f5a0266a3d8cb
SHA1f32f26cf62b9cf4070e9b44ae4223e6688fa57aa
SHA256ac0abfb54ca5e2ccff8d42c3ddc67e590431bad60f5c3245f505ed34c0fcc691
SHA512ea18d36ca73f5606252c80ff6e6df3fc0c36de0c9649202bad2a177cc5394275b1be8cc1b8491c7b327629e663f66723388487d36851544a94a283b885d856cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5514f5266241e1251d3fe9f9d80d8852f
SHA189cdab9964026aa74a1dd6ea557ab658a0e817ea
SHA25609dfed1b77473755d0a1e3cc31077130e15aca16eb4932905fac067f5b160aae
SHA5126ee41cb85740bdd256cd236f6681aebec264d65ade585c10c6ff0d20b85e3692e4df6db85d2afade2237d7c070e4216333c333c2261eaeed361399157c16be5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56a14b741b4121afdd8593dfeabd82309
SHA1559bab55c35be31670478d12ef57c32ca3d4f549
SHA256982e2df86a53aabd4adac635679b127c14a4bec04609d442b71123e80a0421aa
SHA512e3021d9a09498778cc1a21f3650c58788880510a04ed84b1d384fd295adf88fac8f653dfff5bee20587a534e154b73b7111a885bed4fae99c32c093228c24c7c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD598c95cfacc4204915da53c27d38bde56
SHA1347f5cc4b92c3f48321f2b1b3100e9e35b0299dd
SHA256ba4931429a06422ec11b0ada5a031b33d3bd004a2f871f5c5bcf9ee8dd830f74
SHA5126726006e13de15cc0015430a2eef7abc704c7d8163000d58c13f9e011def47a6fa403ddd3988cc27bc748d9e2ece5be64fe542dcc83f83d664aa4d7ae892989a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD592eb22a69b797f02fadda86bea7a8e84
SHA1cd81ebed377b1bbc19c628d65b4739de227febdc
SHA2567db05e64e82f0fcb03113e1de97801ae6b58bcd025656976751836717ec5b251
SHA512d6d71de86ac862e90097041e22f6279bf67148d1e1be1c5d8442cf28fabefce1f534e8aae24aa3d74c08a989eb9fb4b858a84301c8046161b6a63da737f59712
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed0c7ba9fc536e47d1ace7d2c902b31c
SHA19e4c52555019387a0b400f7be0c951a6b5aec568
SHA2569c371312ea0969cd35f6ba7aeb90fc197a800d36e10b823d950a6088fdc43b12
SHA512799277db17415dcda21b906973a02ac254490b8b63d8ebea4f25116324c5713a304141144e97bcc0baeaeedb87bca90ac50778ca27615ff5a818d9f440cda819
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD595e1cee75bde8b8ad8d2a4de8f334388
SHA1e21e7b0654a62413af657a88bfbacf8f340a9497
SHA256258a869cd6a3a22ea28a629adadba52e450eb7f6c3b6ac367ae2220b007e6758
SHA512c78f8642d69c8c5055067e4b6642ae5c016bb082936771fa4734ef64e18413ec27c7960463caf888834fe535e0a6c02214c12a01617bd6ab8832af46d2435f5a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5762565e6e5d9ce27331439dc04aabfc0
SHA1d0556d94808cd2f2caa2bb9b4c932d496816669a
SHA2568b57fa2c7f95bd935ea96ca2ec8f614804e4f1a27322d710989f9463706fad88
SHA512828d7f662ad43e285b6b67423edb3ffde8797f1ffbbdf62d28796c6803d02b2e1604bf2203032f01176450d184ce7894ffd2a4f88d3a1572120ed7995cc70de8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f616b174f3d4a1841c329cef6784998d
SHA1fa6b0f4f6b41f752fd471a7835496dcd18b9f4d0
SHA2561d8126fe14b8135fbd02f40e4707e5543f371459c65dcc1b5e65bdf4390a7dd4
SHA512e30f27fa855ee57a8a5484b686d7c9d16a0cb878bba7d7e9216d88eb511f4d74c366b5cac329e93e0d6246cb18677fb7b211e042d1e3127c5fea12945567d7a8
-
Filesize
213B
MD557b2d5dbf5aa5c4006f572dea6429ccf
SHA187f1c5910d1be6f02cc92d353d9b7d4d223ea125
SHA25612f59773b06b603991790181367386326ff5825729d6f727e44105754e5b7e55
SHA5125f1b428bde5710c1302e8ea8450ec1da2eba4174b9738fc5c24a1b6b480137a6c9f7e66e8e44c1725f9aab3323fe4e12bfa3b76d4115b09e233da14b7dcf8356
-
Filesize
213B
MD591e4a5689e961ee6666ae817faa06299
SHA16975c5bcab9300b9f6619b1ac87c1616482d6300
SHA256600b5989b1e63e270e45b4200ee7ef504b60a820807c90b9d2b46c17a073ca3d
SHA5120e862605587e8f1416efbe6086e6a857e4ca4c12b0f7ecdcecd68fdba82f6d418b1464b9ee124684624b3fa38051e7dd27b4c6c1781fd41379403096c14d699c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
213B
MD52608e6d717d3cc3e72fa5bf4cbfaebdb
SHA1220f80acb32d5059b121305414d9d066b92d0a5a
SHA256be6ea3dc4075bd722067d463739a49009f7055ad5ba739657efb701bfb122e86
SHA5126c0ba9daf9c28e8b818c348ba148702a3ae3cb1de83f0fd050b966a0867e914bcf0c869874e3982a2612c5d76c78d60af95107b5c4c06a0d0b0a478b4e7a2a2a
-
Filesize
213B
MD593071e49ace418ab55380be59a781ea6
SHA12cc76fd9300963cf31b8c14f0bf53ed071f05242
SHA25672a91858d7b3d53a6dd1fe363db71a22cd23c328adb00cd6980e515294fb0e3f
SHA512bb5fbb75e4dea2d1bf253401220231e4142ffaab9160f0da51da20fe3971502664b67da7bf2e41948a1aa8e3151f87fc760d3907406dcb6d5737d2014d19d345
-
Filesize
213B
MD54b56cdf7d1fe32a9195b1b37d48d5dae
SHA1210ad30d6ea30290e77f31933079d6d27d66e925
SHA2563a51e62e9ff272ba0b2242244ebfd6850b5dfe8fe69245aa4e2639bef4d37a4b
SHA512478f2ef2643fcf7933592b10630e57a3c82ba0e481eef0006164b00a5cf302875d5a4712d33b783b22fe827019acf6e393077eda935dd62c7759b158770c68d4
-
Filesize
213B
MD5067c24d5b926c99eb6a36c471085f3ba
SHA1069cf7444339781fb5ce760091210c0766ce4955
SHA256adbae9efee2ca7645e9c94e7c83f8581e7ae68b911e0d7f730064ba380c013ed
SHA512e2b001672a625e8ad6302f276f07f12564f9b36b3fd4bf58fd0a446ad721591391708dffddd5c247001efdf08cdfb842ded556181c941b42f641051408fbc69d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
213B
MD5792cd1accefc618eff3a214eaeba6a68
SHA1576fdd79e1f7ae96e1734e0550af65c9e6091610
SHA256617492227b4b6cc4d86af56a4337f5122440435bb8524e3c9178059b53f50617
SHA512fe80e63f499f3d1d28fccde637a1daba6a53dca8ae05fa6941212ab410e5fb87fe76e3f4bf1c9ed99a63765dad560a0a707db508dfb5a1d281a23e0c6fb6c05e
-
Filesize
213B
MD51b98979a6b17c3fbf5e4203a11bc7004
SHA18ebc1c07be35426a923265fa989b14aa9120ba3f
SHA256a1ec11effb454d17c6373b9d25cf7d3ac2490b82192af0a5779a46d642e4e465
SHA5124f017643f0ebc6f702f0acd10ee4741ccd16db7b079cb0927eea6423d49c7aa477a1d6ac3a8ecdbce763bbcf0ec08f87c21b20e4c23c378a1bb97b2c54631d95
-
Filesize
213B
MD584dcae0a4d186fab971de1515430cf01
SHA1e93324792dbe11bae2d484720521393d1131bdb9
SHA256c8043c7bb02e71e73569655218406ab7b8e2ea1a86ff7c49c04df61fe8e56a54
SHA512ac8f21b95a315ea075f1fc48a239eb589d69ff5323338c6e332f6a07b4545ad871a4bd241067b625e1e691ecd7cc886df268e823704528485ab2b6443e4fe650
-
Filesize
213B
MD54ed6b40f5dcff075ead52842ba507d09
SHA166aa16a0976694caa2ca6cb4935600caddd59860
SHA2569fe77b773248b37507971e8d17d1a8aee044551128b3b32bc4f529777bd61628
SHA5127e34f05ad316e509d4497b67f5cbc42fa34e5098a7f9b4d91731d2a1ac3a4ac92aec9c493ca104f18dba1f006d1cd560c1cf6fe142c5d41b88d02439c12df0c2
-
Filesize
213B
MD50b2c3f3d9a15baacba859882b33fa082
SHA1a0a2e2d76c14f4348e91a23977ba53a10694ec1b
SHA2560809cf9d60a134d46f548bd2c03738b74f38eece246922fe9602fd7ca42a8df8
SHA512edb47f06d46be7395fd2a231f46a85ac8b671b5ab502f8d1fe8c2fd7b3f2d2bfe8cc9b1f3ffaff4e76f4750142c4fef3a4452f5d364a689dc07d242b64828b2b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fd3ae21bcbe6c37139396a8cd4078760
SHA1604a3d508727d42544b0d26472cab77465d3db02
SHA256068c2948516bee2c81390a0a7d67ce75841aa2f29e2191e06c28bba03dfea34f
SHA512c5a6b6d5b5f53e3063e8a5018a66e494a72f56bdc7b1a3fd1a56a41bcefdc84eb04538e1cffc6387a625f1f76a0d7e8f46f6f70b99bcfa6bd15334d529c4436d
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478