Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:05
Behavioral task
behavioral1
Sample
JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe
-
Size
1.3MB
-
MD5
662eb62315bdd0c75616d1890a2e2717
-
SHA1
7fd0a233add6c42bc6bcb14527de31027bf21cc6
-
SHA256
1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7
-
SHA512
620afbf5e6704d5a5c35731c47ea06acbb62d74021e30f821d188212dfa9341798c6a7e6fc599e9de72407fe340dec272c7bbf5d60b5402ea9cd7d85f6550013
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 808 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 300 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2692 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00060000000186f8-10.dat dcrat behavioral1/memory/2424-13-0x0000000000BB0000-0x0000000000CC0000-memory.dmp dcrat behavioral1/memory/2916-63-0x0000000001180000-0x0000000001290000-memory.dmp dcrat behavioral1/memory/2664-124-0x0000000001300000-0x0000000001410000-memory.dmp dcrat behavioral1/memory/1808-362-0x0000000000190000-0x00000000002A0000-memory.dmp dcrat behavioral1/memory/952-422-0x0000000000CA0000-0x0000000000DB0000-memory.dmp dcrat behavioral1/memory/2372-482-0x0000000000F90000-0x00000000010A0000-memory.dmp dcrat behavioral1/memory/344-542-0x0000000000180000-0x0000000000290000-memory.dmp dcrat behavioral1/memory/2900-603-0x0000000000B10000-0x0000000000C20000-memory.dmp dcrat behavioral1/memory/804-663-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1812 powershell.exe 2648 powershell.exe 1072 powershell.exe 1748 powershell.exe 1056 powershell.exe 304 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2424 DllCommonsvc.exe 2916 dwm.exe 2664 dwm.exe 1164 dwm.exe 1980 dwm.exe 344 dwm.exe 1808 dwm.exe 952 dwm.exe 2372 dwm.exe 344 dwm.exe 2900 dwm.exe 804 dwm.exe -
Loads dropped DLL 2 IoCs
pid Process 1644 cmd.exe 1644 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 38 raw.githubusercontent.com 13 raw.githubusercontent.com 23 raw.githubusercontent.com 31 raw.githubusercontent.com 17 raw.githubusercontent.com 20 raw.githubusercontent.com 27 raw.githubusercontent.com 34 raw.githubusercontent.com 41 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\56085415360792 DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\services.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\c5b4cb5e9653cc DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Tasks\dwm.exe DllCommonsvc.exe File opened for modification C:\Windows\Tasks\dwm.exe DllCommonsvc.exe File created C:\Windows\Tasks\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Windows\de-DE\sppsvc.exe DllCommonsvc.exe File created C:\Windows\de-DE\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Windows\Registration\dwm.exe DllCommonsvc.exe File created C:\Windows\Registration\6cb0b6c459d5d3 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2832 schtasks.exe 808 schtasks.exe 300 schtasks.exe 1164 schtasks.exe 2304 schtasks.exe 2748 schtasks.exe 2104 schtasks.exe 2520 schtasks.exe 2524 schtasks.exe 2616 schtasks.exe 1524 schtasks.exe 1708 schtasks.exe 2824 schtasks.exe 2572 schtasks.exe 2604 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2424 DllCommonsvc.exe 1812 powershell.exe 1072 powershell.exe 1748 powershell.exe 304 powershell.exe 1056 powershell.exe 2648 powershell.exe 2916 dwm.exe 2664 dwm.exe 1164 dwm.exe 1980 dwm.exe 344 dwm.exe 1808 dwm.exe 952 dwm.exe 2372 dwm.exe 344 dwm.exe 2900 dwm.exe 804 dwm.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2424 DllCommonsvc.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 304 powershell.exe Token: SeDebugPrivilege 1056 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 2916 dwm.exe Token: SeDebugPrivilege 2664 dwm.exe Token: SeDebugPrivilege 1164 dwm.exe Token: SeDebugPrivilege 1980 dwm.exe Token: SeDebugPrivilege 344 dwm.exe Token: SeDebugPrivilege 1808 dwm.exe Token: SeDebugPrivilege 952 dwm.exe Token: SeDebugPrivilege 2372 dwm.exe Token: SeDebugPrivilege 344 dwm.exe Token: SeDebugPrivilege 2900 dwm.exe Token: SeDebugPrivilege 804 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2340 2528 JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe 31 PID 2528 wrote to memory of 2340 2528 JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe 31 PID 2528 wrote to memory of 2340 2528 JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe 31 PID 2528 wrote to memory of 2340 2528 JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe 31 PID 2340 wrote to memory of 1644 2340 WScript.exe 32 PID 2340 wrote to memory of 1644 2340 WScript.exe 32 PID 2340 wrote to memory of 1644 2340 WScript.exe 32 PID 2340 wrote to memory of 1644 2340 WScript.exe 32 PID 1644 wrote to memory of 2424 1644 cmd.exe 34 PID 1644 wrote to memory of 2424 1644 cmd.exe 34 PID 1644 wrote to memory of 2424 1644 cmd.exe 34 PID 1644 wrote to memory of 2424 1644 cmd.exe 34 PID 2424 wrote to memory of 1812 2424 DllCommonsvc.exe 51 PID 2424 wrote to memory of 1812 2424 DllCommonsvc.exe 51 PID 2424 wrote to memory of 1812 2424 DllCommonsvc.exe 51 PID 2424 wrote to memory of 304 2424 DllCommonsvc.exe 52 PID 2424 wrote to memory of 304 2424 DllCommonsvc.exe 52 PID 2424 wrote to memory of 304 2424 DllCommonsvc.exe 52 PID 2424 wrote to memory of 2648 2424 DllCommonsvc.exe 54 PID 2424 wrote to memory of 2648 2424 DllCommonsvc.exe 54 PID 2424 wrote to memory of 2648 2424 DllCommonsvc.exe 54 PID 2424 wrote to memory of 1056 2424 DllCommonsvc.exe 55 PID 2424 wrote to memory of 1056 2424 DllCommonsvc.exe 55 PID 2424 wrote to memory of 1056 2424 DllCommonsvc.exe 55 PID 2424 wrote to memory of 1748 2424 DllCommonsvc.exe 56 PID 2424 wrote to memory of 1748 2424 DllCommonsvc.exe 56 PID 2424 wrote to memory of 1748 2424 DllCommonsvc.exe 56 PID 2424 wrote to memory of 1072 2424 DllCommonsvc.exe 57 PID 2424 wrote to memory of 1072 2424 DllCommonsvc.exe 57 PID 2424 wrote to memory of 1072 2424 DllCommonsvc.exe 57 PID 2424 wrote to memory of 2916 2424 DllCommonsvc.exe 63 PID 2424 wrote to memory of 2916 2424 DllCommonsvc.exe 63 PID 2424 wrote to memory of 2916 2424 DllCommonsvc.exe 63 PID 2916 wrote to memory of 2528 2916 dwm.exe 64 PID 2916 wrote to memory of 2528 2916 dwm.exe 64 PID 2916 wrote to memory of 2528 2916 dwm.exe 64 PID 2528 wrote to memory of 2396 2528 cmd.exe 66 PID 2528 wrote to memory of 2396 2528 cmd.exe 66 PID 2528 wrote to memory of 2396 2528 cmd.exe 66 PID 2528 wrote to memory of 2664 2528 cmd.exe 67 PID 2528 wrote to memory of 2664 2528 cmd.exe 67 PID 2528 wrote to memory of 2664 2528 cmd.exe 67 PID 2664 wrote to memory of 3036 2664 dwm.exe 68 PID 2664 wrote to memory of 3036 2664 dwm.exe 68 PID 2664 wrote to memory of 3036 2664 dwm.exe 68 PID 3036 wrote to memory of 2252 3036 cmd.exe 70 PID 3036 wrote to memory of 2252 3036 cmd.exe 70 PID 3036 wrote to memory of 2252 3036 cmd.exe 70 PID 3036 wrote to memory of 1164 3036 cmd.exe 71 PID 3036 wrote to memory of 1164 3036 cmd.exe 71 PID 3036 wrote to memory of 1164 3036 cmd.exe 71 PID 1164 wrote to memory of 1748 1164 dwm.exe 72 PID 1164 wrote to memory of 1748 1164 dwm.exe 72 PID 1164 wrote to memory of 1748 1164 dwm.exe 72 PID 1748 wrote to memory of 1348 1748 cmd.exe 74 PID 1748 wrote to memory of 1348 1748 cmd.exe 74 PID 1748 wrote to memory of 1348 1748 cmd.exe 74 PID 1748 wrote to memory of 1980 1748 cmd.exe 75 PID 1748 wrote to memory of 1980 1748 cmd.exe 75 PID 1748 wrote to memory of 1980 1748 cmd.exe 75 PID 1980 wrote to memory of 1712 1980 dwm.exe 76 PID 1980 wrote to memory of 1712 1980 dwm.exe 76 PID 1980 wrote to memory of 1712 1980 dwm.exe 76 PID 1712 wrote to memory of 2192 1712 cmd.exe 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\Tasks\dwm.exe"C:\Windows\Tasks\dwm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2396
-
-
C:\Windows\Tasks\dwm.exe"C:\Windows\Tasks\dwm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2252
-
-
C:\Windows\Tasks\dwm.exe"C:\Windows\Tasks\dwm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1348
-
-
C:\Windows\Tasks\dwm.exe"C:\Windows\Tasks\dwm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2192
-
-
C:\Windows\Tasks\dwm.exe"C:\Windows\Tasks\dwm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"14⤵PID:1188
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:496
-
-
C:\Windows\Tasks\dwm.exe"C:\Windows\Tasks\dwm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"16⤵PID:2756
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2628
-
-
C:\Windows\Tasks\dwm.exe"C:\Windows\Tasks\dwm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"18⤵PID:3012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2388
-
-
C:\Windows\Tasks\dwm.exe"C:\Windows\Tasks\dwm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"20⤵PID:2800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2428
-
-
C:\Windows\Tasks\dwm.exe"C:\Windows\Tasks\dwm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"22⤵PID:2008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1768
-
-
C:\Windows\Tasks\dwm.exe"C:\Windows\Tasks\dwm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat"24⤵PID:2244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:888
-
-
C:\Windows\Tasks\dwm.exe"C:\Windows\Tasks\dwm.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"26⤵PID:2592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Tasks\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51fc78150b3bff60f30edcafd3977a1a9
SHA12539a680241ba21d95ae0032d15292956d444a70
SHA2561f080c97705c60d2190f51c5225021ad9d6168d07bb3fb75967d843aaa2660b0
SHA512fade88714c010c6d3d795b3e9f6b416aa4176b7a2443d80f7726f81872c89b134c0004b17c2d3e20fdedaff7c6b962535df37dd25f645de79b37470be049f585
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b000e31b717be85893d9136195c17528
SHA175d574c7850384e4c747ff7c5f5c08a1bc972c26
SHA2561fae6c5682a990749c200d7cb66ebf3bef2c6fe1e57a59b21bc1c1a4c2e1d856
SHA512571f327fd7f951265fe5027e469dde93c96fe01f1d86e229890d3642b899e752e627ab95a097bd07caad31e5a94b5f3a704adab091c985f0dbdf1c90015c06b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD598d96646effa77d86aa49d68718db75a
SHA1c214e5a5dd88209a73a921706400701f7c2209fd
SHA256d3c1a20545973deb51376daa5715f4a78ace1256700c6eacb9403865e33b0416
SHA512dfd5306e9e80c96d04d5182c966525299299856d9c43a31acbe2085895ccee396a1cc20fd3d3c24f811d37bd8f7beb056f910c74ac511bcc4b20c6bf0a1e4d02
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b81bc9c5c6ebf45a51a9c19906c34f8
SHA1f0c755c33cec759172afc131d56a5160b715d57b
SHA2569fee3c3139daf6a87c3832e3ea155f4e79400fec600d4e907cf5437d45b87aff
SHA512e6a0bcfdb3b4c75e2127eb06a819fc595b40afd23b0ea89d72c03c35da98745a5c3b7378f5251be59bec1df79c9a29a24aa7104d2fc990c80c9ea11cd833c67c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c2c9963256f7dd708a389f0dc25d7f88
SHA1de6a154952122bc674905b1a9b3098ba001cf391
SHA256ca548a6ed8018bcba8d3992eb566ffde441e032b75063b588436efdcdc8544fa
SHA51227caece9813e33373037e619393bf9334b56cb6dfbe3a0cbaee385179051682308147ac3199204dce817133da1c8cae27fd7fee6ef02f9dba7d6b4041d6142c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD595d162013a4279a59dcdfeb952694490
SHA108e38c291e25f767730d3c2f4bcaedcd01ae340e
SHA256967fc5ea89a3c88c3af6b291d51ff0834bf096507859b24e93ecabcfdbebb348
SHA512c568008dddac981dd1a48faef14e862ca2ff91ce9b112b1fc82c19c3f67cf52123085241406955317fa527d82a990fd71c7d3dd160efc46c209c5126fa47c27e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59d57ce4de4d6c59343ded471bc15ff0f
SHA1ee571c00c0ce11df66f493e4908cf890f2815602
SHA256e982da0d1a089f81bdb03c1d55bfc72cb8e9cd9c9616bfb4000c970ef38a513f
SHA512f55b0207742b7115800ef60358dd4cfbeca088aa48ecde7ddafa2ae71f9167d167f36b0813ec2db7f7797668b7ba3c85d0b79626fc80dfcd6ff9f0555d85341a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5797788a4312f27583ba1d83f79c8b8b7
SHA17c7c4970ac328910f2da60094e11635b9643a598
SHA256a39f532c1492490ee5c4fde6db106c88168624725d741c044ee8f0f012e2b443
SHA512045671365e7693791b9ec70a9e67e4a65fee329bd83e5c9f96e9622821d9cc8698f05b25f6c6e4b6a1408345b784119c288c39a7b532ad65573fd870e22d5b1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55bcd9864d37b11641dee013ec3e46927
SHA1a78ab260ed297d5061860803d77dd01e8f058e38
SHA25688dcbdd9b077515018a1a5d6d7d527e8b62858abe4d3d84d18b46d88cb9fb287
SHA51232544ada1eb6ad5a65443143577917b36ec7639799322bb409d2d983d1c7b2a6836a258c607d30dfed7e40ea8703f5fb483ca8982d8d9f48d447d35439bd3b66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD597edadec3c054af7b0098d70b2ca6ff7
SHA1ce95bd3a3d9f5bd40a782a02e74ae3bc71dac03e
SHA25626b715581ca036937094d824e2461f5b70211591560defc77b2df640380f2e6f
SHA5128803bd704a25ea3e401e1911b3761496f51723a69fcdc1931c0d020e606f1ee795d68be7c42fa96eea38a755d768dd7722e7f8b370f57f5bce6b7b0df3fa1950
-
Filesize
189B
MD59c469b481fb28c0440ce854fc4e0f7ce
SHA1e2a581f701cd6de5b563f0a40b6605124c0cce8e
SHA2566969a10dfd68cdb887e5ba8148f1241dadf0d7dd5c1f0fdf34b8910bdc610ad5
SHA512d4ccff5430f4a8a2eadf2f3d8c90b936cee12155db9d7bd8d9a1df27c6270b32de86ba418eab7726b3f1aa6feb7fd1744cdfe9c3c1bbf470807038d30a9f8974
-
Filesize
189B
MD554714cb835817a4e9410d3bcbe54fa3f
SHA1fdc64b3054b628c94748d2bec660b71a56bafac1
SHA25618d81794cc6efd63917b4e55744d6a6fd33a1eb418d282cb310c5cc4eaee0664
SHA5129acb055074574884f3113f4df3c1672d192aa61814939e59c41071f65aba4aa923c1e27736abfbde81e9ba805b1da8efe9aa3e73bef10884f61d889173d4cd47
-
Filesize
189B
MD5f3d6325464a8054dac9d756e9aa71860
SHA1dda85a476180c220ef636d6467bd535914669551
SHA256722a1f7c27e15b6937aea5e7681d12859df1f4f6e1f646759c09ae50ccd24e08
SHA512ba954fae80f29936c04a01503e999d1e78ccfb78a5ac08ccc0c13c2438ab0b5d24631a705be61aaa373403d45b9fe4bbe975c6c337af5a9f9648799a25482344
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
189B
MD5c6e79e8e701462b443f8c4083ec0081c
SHA1d97b32c557ced0c99ffb2271dc5ce855f43826aa
SHA2565dbb5e860f2ca59930f0b1d1cf22ec4397c83595e3536e9eb7a31c1443790d15
SHA5124993200674f010194bc2cd212980cb6c5f5713fa08532e9bbdd17d062c187f96203ee7919eacbd903178e3dce1220d178b5db5bacd9826d7e11920e963483330
-
Filesize
189B
MD520ad57f2b5cd0409e4dc6900faa6af5f
SHA166016356d6d8300585a07df9aaf22cb40dbdb16a
SHA256557e4f0964e89d5d52ffa22c91648b02e0befe9d3c0d7c8e7bae7e6e4c06ebe8
SHA512a0b8ffdc10cbb46322de58cace528799cc5bdc34d568559de8db5ebd3292d0200fb873283f9aa0c918977f38538343b0b766b6233f65cd014455e800a2587369
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
189B
MD5356b731f8938d612a35e71794dbb3614
SHA1985854a6117f9c25372fadc271374e506620143c
SHA256011fcfb4d5a9993b9ad442233661d11cd775c3c37c35a263318614f3419d95d1
SHA512f8bf5630befe424e2e912aa8638df6b76dd49257907b381ee4caa71234d8e5a2d963e216a8ee39c73c70dd392b5e6bbaff4aa1332648bdbdc3aa066a5735ce99
-
Filesize
189B
MD51e50e3520e88864efc00261d8be46701
SHA14b67210f898e07c27c931272b00515696255c581
SHA256a525c3c9476d30683d5a105245aea4205496e9bd641672caeeee40f01762ec0e
SHA51263bd7bb7f27e58883cd09ee67549e4d118ff90998f12e77efc90c80c0a3ddd9fc6d9b468fb13f427ee1843cbad1857ae3718d722c330af0392a87fa9448d5fe5
-
Filesize
189B
MD5a637b31fd8a2e568bc818c617f5dc2c8
SHA1d17f446bbb36517fe65526d38ff6f27e0009b824
SHA25605d1e507e54ab3e67bb57b9137f664f42705c29bc1805a027803df77f9340787
SHA51212aa1fc86c919b4e69cfbfa18a24e040115f739c83b130482cb068f60d6b38900897b27b2a35918f1fbb191c41f6a2f8d59c32d61114a4093a8f4ef63c862b6c
-
Filesize
189B
MD51cca56b8e194e3c5af3b5aaa610c28e1
SHA19c0ca508555a29686dc5b3d09bd0cd5bcc68e8b8
SHA256b8dcf8f6c69b23b05c16cfad833dfa0ffc5af3702430d76e6006c9616aedb76c
SHA512adc60a84c3585cbcc015802afd08dcbc2035c97fd05e0d339d18c01e82f924615905ebb3d07ec07b5343925c267a08a482387096ee84bd77f426b6b7bf6f9640
-
Filesize
189B
MD56a8e2c5a0edbc7c6edf8991e23b36838
SHA1344ebfddccfd9f576ee87782fd9be2b496b31cfc
SHA2562328242896db0ef96d96500a39d27790306b9231d3787e8da1a3d4a80458b5cd
SHA51269204f2123281f866c0f914f65c52a4b9753958f3f51d78f85b38fc426b6677e64cb813926b1b87bc3647dbc4ef67d90566718204c4d79cc70f8bc1a1f7553a9
-
Filesize
189B
MD5e61ed68f9cb06095ad96c2cff151ca8a
SHA13fd7fdc44befd312c3e4ed5b006cd077f3600693
SHA256a9875570ff9afb95ac43a6e0dfb82cff7b659c8a9cc255d5340df555ecd27b64
SHA51299ed3b685dc0f1fe32f2315e7b47b3b2a8437c334b284a6f773f059f6526639543450170257cd5cb6b30349b7dc2903d75fa07e0242723b5a18afab815e72c60
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LTRHVTF9C7A8Y4LGR2FG.temp
Filesize7KB
MD5e20bb1b715f25f8d10fd0d044283956f
SHA161ee625a46a30f2e349ba4e2f18cf5b636cb7429
SHA256636569e8ab5a8f29a9551e081cae0cdde4167a4f27680bbf23ed807c28bee296
SHA512c5e094fc842567e363f01321dc36fde3ad7c62eb48234c94d3bb74490272dfad181799a57d1240cb492d871e453b4d456caf81f7e20d4ea568d3163071ca93a4
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478