Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:08
Behavioral task
behavioral1
Sample
JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe
-
Size
1.3MB
-
MD5
5c92ccdf6b284f1677d622b85ba6bf65
-
SHA1
821929a0b3aea12b2ca60487254712d10f97e5d2
-
SHA256
5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd
-
SHA512
f036d0df48334dbe3920661eab4898158083820c79cb3722a0d7b1d5475a1120965ac26e82b287c5efda6303dbe13c0a68f380b84b1ad80b28253a981b669002
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 596 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2572 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00070000000186f2-9.dat dcrat behavioral1/memory/2684-13-0x0000000000C30000-0x0000000000D40000-memory.dmp dcrat behavioral1/memory/2080-65-0x0000000000370000-0x0000000000480000-memory.dmp dcrat behavioral1/memory/2748-125-0x0000000001340000-0x0000000001450000-memory.dmp dcrat behavioral1/memory/2032-244-0x0000000000300000-0x0000000000410000-memory.dmp dcrat behavioral1/memory/2720-304-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/2376-364-0x00000000000E0000-0x00000000001F0000-memory.dmp dcrat behavioral1/memory/2188-425-0x0000000000930000-0x0000000000A40000-memory.dmp dcrat behavioral1/memory/2728-485-0x0000000000210000-0x0000000000320000-memory.dmp dcrat behavioral1/memory/2288-545-0x00000000009E0000-0x0000000000AF0000-memory.dmp dcrat behavioral1/memory/3044-605-0x0000000001190000-0x00000000012A0000-memory.dmp dcrat behavioral1/memory/2820-724-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2940 powershell.exe 1308 powershell.exe 2412 powershell.exe 1816 powershell.exe 1052 powershell.exe 3000 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2684 DllCommonsvc.exe 2080 dllhost.exe 2748 dllhost.exe 1404 dllhost.exe 2032 dllhost.exe 2720 dllhost.exe 2376 dllhost.exe 2188 dllhost.exe 2728 dllhost.exe 2288 dllhost.exe 3044 dllhost.exe 1776 dllhost.exe 2820 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2528 cmd.exe 2528 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 30 raw.githubusercontent.com 38 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 34 raw.githubusercontent.com 41 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Java\Idle.exe DllCommonsvc.exe File created C:\Program Files\Java\6ccacd8608530f DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\IME\es-ES\winlogon.exe DllCommonsvc.exe File opened for modification C:\Windows\IME\es-ES\winlogon.exe DllCommonsvc.exe File created C:\Windows\IME\es-ES\cc11b995f2a76d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2588 schtasks.exe 1516 schtasks.exe 3016 schtasks.exe 2420 schtasks.exe 2760 schtasks.exe 2960 schtasks.exe 2408 schtasks.exe 2136 schtasks.exe 1992 schtasks.exe 596 schtasks.exe 2816 schtasks.exe 2144 schtasks.exe 1820 schtasks.exe 1496 schtasks.exe 784 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2684 DllCommonsvc.exe 2412 powershell.exe 2940 powershell.exe 1816 powershell.exe 1308 powershell.exe 1052 powershell.exe 3000 powershell.exe 2080 dllhost.exe 2748 dllhost.exe 1404 dllhost.exe 2032 dllhost.exe 2720 dllhost.exe 2376 dllhost.exe 2188 dllhost.exe 2728 dllhost.exe 2288 dllhost.exe 3044 dllhost.exe 1776 dllhost.exe 2820 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2684 DllCommonsvc.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 2080 dllhost.exe Token: SeDebugPrivilege 2748 dllhost.exe Token: SeDebugPrivilege 1404 dllhost.exe Token: SeDebugPrivilege 2032 dllhost.exe Token: SeDebugPrivilege 2720 dllhost.exe Token: SeDebugPrivilege 2376 dllhost.exe Token: SeDebugPrivilege 2188 dllhost.exe Token: SeDebugPrivilege 2728 dllhost.exe Token: SeDebugPrivilege 2288 dllhost.exe Token: SeDebugPrivilege 3044 dllhost.exe Token: SeDebugPrivilege 1776 dllhost.exe Token: SeDebugPrivilege 2820 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2748 1964 JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe 30 PID 1964 wrote to memory of 2748 1964 JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe 30 PID 1964 wrote to memory of 2748 1964 JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe 30 PID 1964 wrote to memory of 2748 1964 JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe 30 PID 2748 wrote to memory of 2528 2748 WScript.exe 31 PID 2748 wrote to memory of 2528 2748 WScript.exe 31 PID 2748 wrote to memory of 2528 2748 WScript.exe 31 PID 2748 wrote to memory of 2528 2748 WScript.exe 31 PID 2528 wrote to memory of 2684 2528 cmd.exe 33 PID 2528 wrote to memory of 2684 2528 cmd.exe 33 PID 2528 wrote to memory of 2684 2528 cmd.exe 33 PID 2528 wrote to memory of 2684 2528 cmd.exe 33 PID 2684 wrote to memory of 2940 2684 DllCommonsvc.exe 50 PID 2684 wrote to memory of 2940 2684 DllCommonsvc.exe 50 PID 2684 wrote to memory of 2940 2684 DllCommonsvc.exe 50 PID 2684 wrote to memory of 3000 2684 DllCommonsvc.exe 51 PID 2684 wrote to memory of 3000 2684 DllCommonsvc.exe 51 PID 2684 wrote to memory of 3000 2684 DllCommonsvc.exe 51 PID 2684 wrote to memory of 1308 2684 DllCommonsvc.exe 52 PID 2684 wrote to memory of 1308 2684 DllCommonsvc.exe 52 PID 2684 wrote to memory of 1308 2684 DllCommonsvc.exe 52 PID 2684 wrote to memory of 2412 2684 DllCommonsvc.exe 53 PID 2684 wrote to memory of 2412 2684 DllCommonsvc.exe 53 PID 2684 wrote to memory of 2412 2684 DllCommonsvc.exe 53 PID 2684 wrote to memory of 1052 2684 DllCommonsvc.exe 55 PID 2684 wrote to memory of 1052 2684 DllCommonsvc.exe 55 PID 2684 wrote to memory of 1052 2684 DllCommonsvc.exe 55 PID 2684 wrote to memory of 1816 2684 DllCommonsvc.exe 56 PID 2684 wrote to memory of 1816 2684 DllCommonsvc.exe 56 PID 2684 wrote to memory of 1816 2684 DllCommonsvc.exe 56 PID 2684 wrote to memory of 2080 2684 DllCommonsvc.exe 62 PID 2684 wrote to memory of 2080 2684 DllCommonsvc.exe 62 PID 2684 wrote to memory of 2080 2684 DllCommonsvc.exe 62 PID 2080 wrote to memory of 2724 2080 dllhost.exe 63 PID 2080 wrote to memory of 2724 2080 dllhost.exe 63 PID 2080 wrote to memory of 2724 2080 dllhost.exe 63 PID 2724 wrote to memory of 2244 2724 cmd.exe 65 PID 2724 wrote to memory of 2244 2724 cmd.exe 65 PID 2724 wrote to memory of 2244 2724 cmd.exe 65 PID 2724 wrote to memory of 2748 2724 cmd.exe 66 PID 2724 wrote to memory of 2748 2724 cmd.exe 66 PID 2724 wrote to memory of 2748 2724 cmd.exe 66 PID 2748 wrote to memory of 2380 2748 dllhost.exe 67 PID 2748 wrote to memory of 2380 2748 dllhost.exe 67 PID 2748 wrote to memory of 2380 2748 dllhost.exe 67 PID 2380 wrote to memory of 2396 2380 cmd.exe 69 PID 2380 wrote to memory of 2396 2380 cmd.exe 69 PID 2380 wrote to memory of 2396 2380 cmd.exe 69 PID 2380 wrote to memory of 1404 2380 cmd.exe 70 PID 2380 wrote to memory of 1404 2380 cmd.exe 70 PID 2380 wrote to memory of 1404 2380 cmd.exe 70 PID 1404 wrote to memory of 1236 1404 dllhost.exe 71 PID 1404 wrote to memory of 1236 1404 dllhost.exe 71 PID 1404 wrote to memory of 1236 1404 dllhost.exe 71 PID 1236 wrote to memory of 1984 1236 cmd.exe 73 PID 1236 wrote to memory of 1984 1236 cmd.exe 73 PID 1236 wrote to memory of 1984 1236 cmd.exe 73 PID 1236 wrote to memory of 2032 1236 cmd.exe 74 PID 1236 wrote to memory of 2032 1236 cmd.exe 74 PID 1236 wrote to memory of 2032 1236 cmd.exe 74 PID 2032 wrote to memory of 660 2032 dllhost.exe 75 PID 2032 wrote to memory of 660 2032 dllhost.exe 75 PID 2032 wrote to memory of 660 2032 dllhost.exe 75 PID 660 wrote to memory of 2668 660 cmd.exe 77 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\es-ES\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Users\All Users\dllhost.exe"C:\Users\All Users\dllhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2244
-
-
C:\Users\All Users\dllhost.exe"C:\Users\All Users\dllhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2396
-
-
C:\Users\All Users\dllhost.exe"C:\Users\All Users\dllhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1984
-
-
C:\Users\All Users\dllhost.exe"C:\Users\All Users\dllhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2668
-
-
C:\Users\All Users\dllhost.exe"C:\Users\All Users\dllhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wYroxckjTC.bat"14⤵PID:2000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2904
-
-
C:\Users\All Users\dllhost.exe"C:\Users\All Users\dllhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"16⤵PID:448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2852
-
-
C:\Users\All Users\dllhost.exe"C:\Users\All Users\dllhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"18⤵PID:2384
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3000
-
-
C:\Users\All Users\dllhost.exe"C:\Users\All Users\dllhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"20⤵PID:2632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2200
-
-
C:\Users\All Users\dllhost.exe"C:\Users\All Users\dllhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"22⤵PID:2220
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3064
-
-
C:\Users\All Users\dllhost.exe"C:\Users\All Users\dllhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"24⤵PID:1016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1288
-
-
C:\Users\All Users\dllhost.exe"C:\Users\All Users\dllhost.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"26⤵PID:2144
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2408
-
-
C:\Users\All Users\dllhost.exe"C:\Users\All Users\dllhost.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\es-ES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\IME\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Libraries\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5db51c2e4f6c32b0bc7646da01a1501f7
SHA12f83b96bbefe847385b64932072de5cfaf508363
SHA25604fd3135cd953b96825ba074f3b349ec207a0433eae23fda6b2972f17bb34aff
SHA512bdd730a7f3386366f567da2b835b4fc9ee54cd1646ddba567ad64d85fc1f9e940a8a2a0ce2c11dd442415ff7e780cc87417159a05bc369b33bd8002b5bdb918d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57f47ebe47e04214744f9eb2b470eb9e8
SHA1ba86f5df868c14429f4556d115422734e2092ba5
SHA25609033473c4a095ddb3c0c40bc0a3d92091b12ef022eb2c7a0fe9a30305f77920
SHA51229ee6e78b8296ecead94b92d238c6b1b807130115fc57d553864b3cfc5a18cb98e6bba86028b1dfc69f1ac51c4d37b7a386cb7b1190ff0f9cae85cb551d36a67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5694f7efb6543403b700ab91521a4626a
SHA1eedc4f599443613c63dd1d1a837cb945c9a1db13
SHA256fafb5b8d975463a96d5a02a051045830c8d7830ea18927611290ab7d53f6dd52
SHA512aead87911ae9f420266d6dfe8b2b7ce41e4951fa0e88dde59fcce5843a7311c61af2d19ddbdf66cb1182659816e222e8830b356a83babefaa890daf426d08638
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ffb95aa3c58e3e961f9bb3b732cc863e
SHA1e0ef75b580fe3f9f0c0026cc5386b7132d6d9158
SHA256967384807b2e56e5af0e44d00253bab1b640ef70990b746042ce5e5c66d766be
SHA5122d88fcff05b13ec69a9586ce9d6b7f39735280cecce47b6f99a3820e58f06970ea60f7f8609ae07f8b59baed39f9da5636658d73e4dff8a9522bfaccc5e980ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c4dd83f6ae8c637d47974b25691d7a38
SHA11f450b932fbe3b0a47ba2a0adc3389a1d2b62034
SHA25632967f3a404324aa5cbf6b8a188948a4c24a504311227b7baff8efaa4b0e46b6
SHA512493e020e5b9387dcdb03ccf0aad37491cc2ab230cecd50ba75667f65c40a9df8358e809e69ce0b244c8d50a33be20ecc3e7d8a76c6b25b8dce41f1f7eea3211d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b96fea08480cbe109b2beb7e8409977
SHA19a44802272cf32ad7a8f74eb0ddf3db75d00f6ab
SHA256aaeb1982470f97b1b484a71ca41c746d24c91cb05cfc84d2c8c15eada6188030
SHA512b152542942a9a5409f3448a004d0aa469d56eaf630e5e52b766671dd448664cdd8d3abca32b9263186f5725316ef24e515b46b126713b7198d8b6dcf4f8c2a3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5301feb3c967e4721d02dbc1f16a9e007
SHA128e70aaffad94dfad86dd29d949d575444b753c6
SHA256904efb5ef1b7db2cddd81308fb5feaf64d7fa6d55ac1acc2b00a6d8dd9abdc61
SHA512478a2caacaba247fee92d3b29f82ec32ff998e790ab4e11e0e183b0d7957965d1bfc5c228a55ee01a522911a153dd759de4980079cb4cc5389985b347ae25ae9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55202b53a2cde97e0d0f45533af5343dd
SHA1ca8745cc50b1086df45b46d9dab8dadb5bc53f58
SHA256ec6dc6705b0d119f40844671f99256f1a885116245bfee6935594ab261257361
SHA5123429aa31838d30c6e84ab5ed88e993214997c26780c2b72eaaec2354abd32a64edcc7c251fd205cc68b5dcbd98460cea9b1b37a9f49c920ed8daad7c3f569b67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52e6ac6bc7642cb45490df685a1d52939
SHA1a120c9dd940b64ad5a00ea8a782ed8268b69f1c7
SHA2563b8b4121f969c0f7b2c512cd79611cfc202ad4e948b8b6ff9d872999e3fb3161
SHA51218193c951e560dc228f9838a73172b388f154f6cd58dd9b1a6068885df5cfd54235894e5f4acd74c43a350dc0c8dbb7b4bc52c64fe44b941488ba7b423a6b572
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ff2b4add209af7ddf0f6a957c7fbda96
SHA1ad584c156a1cb48ef2cc5bdbe685938abafe083b
SHA256f7a0ce6bb8551b9d6aebd29f21b093eb3e27b74d73954369748baa27ba602979
SHA512e560ed902ec6de5caad5f1bd5f08e9759f2101e15791faabc5111a8044520925019130f68e00d5699e1467b3e5350738e408abb13b245e5534737dc0150c8a82
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD5d1d3e94b0a675ef19135b97f1102c2ad
SHA18ec1a301e2d85d4034a23f13e9ffb3d9eba94275
SHA256d5014fd6c45f7d3608b26ae5d846d461ae60a999428b80d8d2ab87cd87056a62
SHA512e6d364f5d06baf7bf6ea977604c2bdb1fb1664632fab0a94a68697237a9edd84a6e4b641cb72b24526cf73fcb76c2526be13c18c94771b500660fd5f3c92fa42
-
Filesize
195B
MD58d9fac87593a1e87701d834b79df1373
SHA1add21b92b530527faf419f94e8f31cfa8565165e
SHA256e4dc665a514c3c721387612567adeef6b1e52005ba11ebe7e4f11e9a6e7a2478
SHA512155d16f4bf22d35e6cf0b48f7a61628caa0da3b8eef8f947c2f173a99605d851c948d048982bef079484ea49e9ec83f80be06ae2efe92dfdd0181ffb295c69fd
-
Filesize
195B
MD5d0e70faa7261cd8d0bc3b179ae52b854
SHA17f4dab6827481e6539b6bbdab955387981217168
SHA256de4bb0d2665fa5ac746d5d1c652d6818cfbe1b7625f94b9f4bf18b64089af73c
SHA5128f1cdd9ac0ea97a795ab67b95a3a1220883069d77c9f21e13fb036ff8c3212ec9da8738e2fdba6549a7a22d8f48212bdd6831c325cf5ded6b29c54e9d24beb82
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD53571a84aeca6574e50c819936ad568d8
SHA1b60ce3c43ee0942656e2fb72acde4839b0018167
SHA256700384e7fa327652e2ddcbcf534cc52f5f0ce0f0638112d65af8e845d390fe22
SHA512a03eb47aa252bbad4a611045cd0d3beddf9a0a15a16f3fc349cdb2e4a9320787be765f91641153ebe48fd222cc4ef104c354f31eb0ca132b86fc9635ec4d9be8
-
Filesize
195B
MD58f0b257303dbf1db0c51cfbaa83ce045
SHA13ecd228013f35fd3cc42208ef22b87aca3eebb4b
SHA256faf8f52f6c77e7d96557013f34f8d330d599237b88115351c8b8cc7b1694e25b
SHA51252591a3d903a2db91f0e89bf6b7f4277d080d3ce23e517e78708b8625dbb9838e6dffcd30e099aef6333f0412a9c3c67b9b6d2bb0881cb95d312234669ef177c
-
Filesize
195B
MD5089536dd883e30301a343dfa27c43c12
SHA109329c0cf92c4219ee726b674685131ddfd2f97f
SHA2565c291920eccc30c5728f755ded62a53717e18fa76c7d7afbda67b0cda1ebb9b7
SHA512e4e5743956958d890d09a821099a9c43e887ec7ada93090d17366f2db6fedc6d1f393cc666f240bf0a2f1cb283a4c13a2f5d7b1f9438ec17be9da39dbdd4c36f
-
Filesize
195B
MD57a5ff0b98860c80bf7426ee6dca2babb
SHA119ed17187d1ebb4c6363dab9e932a68dc478cc65
SHA2566067a7a33303117b1befb799526d29bf0b398633e7e8bf3a4b971403c183781c
SHA512f153a1bc904e5961daac0bf3c4353e4b6b90f9fbd9b691f192589d0deb172028df88346d93a36ed1e8d727e1c04e3708b9ce26afa2b30aaed23d4882e6992957
-
Filesize
195B
MD592bd8b92aa761c0d9eb724155a266bda
SHA1f8f7ef23adea9ccee5e9cab33519509de68a3966
SHA25685d0b267d0d0a095a5f305d8d96ce839900e299e12911876a7e6b29924a7cb77
SHA512847e883a62320983d3626addef946c24ad0809c7e64267f7eaa011c6fad06bb09399174a39431999396cb0b5712c0042c14b2681ffa83cbbe09c688b439b9d7d
-
Filesize
195B
MD5f5764de9908895ff938a5c75f1591b3e
SHA1cf67d79df54e079015e75b99411da3a21fdb00b9
SHA2561e24f742d1d470be1a448dc1970ba3ea6c6414d45b394d58ae836bb7d6e0b0e0
SHA5120253e96efa79e50255b82a1d1c859f149ca5f6524a699659e947bdc488160e443801faa593591a19f64efd7ba08e57b680a24c6eab5f7648b099f4404b3f02ea
-
Filesize
195B
MD5dde0b658bd936eaca7a5a2b7ca102ca5
SHA1cd3db84294b2a2ca4057939b606df5aa205a943b
SHA256582f7ccc8713ba629f94abed0e6ccb2b6d8065b3c3008684c176f2637546fa5b
SHA5120cb9faac7adff732b7368af5853366009c83adb5b28b485004a5a80bd6b226634017f0c193004704d728e91633a523aad1d23b08eeea4fce415d804a73a4ea0e
-
Filesize
195B
MD5967e76ce51cf52b5c8dc71d40b59576c
SHA1a8444b1cf70cbb84e5c297b0ec83e9dc9ec2f215
SHA2564ad9f4751ba5ed4d0917551b64b9ac3353d0236133f66e48b88cd20a0a05f5bf
SHA512a63fa80e0456990bae41c12b8dad91dd497bbfa4d56e66c311bdee3ba38db58ee980dea0846362f702bdd2cfb5cc6cf06b344d4e0685da526a382431854c63ae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b786afb63cb443882401d25312dffe4d
SHA1b9dc9c823e2b81824b283fa9a330025af71ae377
SHA256d8a4e12b9f449baf18b651d524eb25f20ec751ae733c0c4dea3b3f16f159a2a1
SHA512b142ca92e851eae59e1e03ffefe99cdf0abbc930bcd689822b58f3d23512fdce3e48c8aae81e9cafc1f9752bfd0d826565c606f91ab40afd0c556c4665665cdc
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394