Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 01:07
Behavioral task
behavioral1
Sample
JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe
-
Size
1.3MB
-
MD5
a06e55cfbc590b07f316d25f18d305f5
-
SHA1
86830bcf1c150c58e43b784fc4f90eed9ffb24d3
-
SHA256
fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec
-
SHA512
2f0b90eea05c0d48bcd5f8ce89e9e2b341ce1e7c758a307fc380a9bbdd37d39482ad4b6f7d7b88c549d19474e232bc309ff2f4b07edafac0ed9edd7e12ee392a
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 992 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2408 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2408 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000015d81-10.dat dcrat behavioral1/memory/2304-13-0x0000000000890000-0x00000000009A0000-memory.dmp dcrat behavioral1/memory/1752-50-0x0000000000370000-0x0000000000480000-memory.dmp dcrat behavioral1/memory/828-138-0x00000000011F0000-0x0000000001300000-memory.dmp dcrat behavioral1/memory/1716-316-0x0000000000100000-0x0000000000210000-memory.dmp dcrat behavioral1/memory/1344-376-0x0000000000B70000-0x0000000000C80000-memory.dmp dcrat behavioral1/memory/2744-495-0x0000000001050000-0x0000000001160000-memory.dmp dcrat behavioral1/memory/2548-555-0x0000000001130000-0x0000000001240000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2912 powershell.exe 3064 powershell.exe 3052 powershell.exe 2224 powershell.exe 2464 powershell.exe 2944 powershell.exe 2756 powershell.exe 2904 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2304 DllCommonsvc.exe 1752 csrss.exe 828 csrss.exe 1540 csrss.exe 2160 csrss.exe 1716 csrss.exe 1344 csrss.exe 2064 csrss.exe 2744 csrss.exe 2548 csrss.exe 2220 csrss.exe 2932 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 2764 cmd.exe 2764 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 25 raw.githubusercontent.com 32 raw.githubusercontent.com 36 raw.githubusercontent.com 4 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\hrtfs\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\MSBuild\wininit.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\cc11b995f2a76d DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\5940a34987c991 DllCommonsvc.exe File created C:\Windows\ServiceProfiles\dllhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2836 schtasks.exe 2892 schtasks.exe 2788 schtasks.exe 1740 schtasks.exe 2648 schtasks.exe 2404 schtasks.exe 1420 schtasks.exe 2716 schtasks.exe 2184 schtasks.exe 1776 schtasks.exe 2112 schtasks.exe 2848 schtasks.exe 2776 schtasks.exe 2844 schtasks.exe 2896 schtasks.exe 2588 schtasks.exe 1380 schtasks.exe 2780 schtasks.exe 992 schtasks.exe 2416 schtasks.exe 2680 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2304 DllCommonsvc.exe 2304 DllCommonsvc.exe 2304 DllCommonsvc.exe 3052 powershell.exe 2756 powershell.exe 2464 powershell.exe 2912 powershell.exe 2904 powershell.exe 3064 powershell.exe 2224 powershell.exe 2944 powershell.exe 1752 csrss.exe 828 csrss.exe 1540 csrss.exe 2160 csrss.exe 1716 csrss.exe 1344 csrss.exe 2064 csrss.exe 2744 csrss.exe 2548 csrss.exe 2220 csrss.exe 2932 csrss.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2304 DllCommonsvc.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeDebugPrivilege 1752 csrss.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 828 csrss.exe Token: SeDebugPrivilege 1540 csrss.exe Token: SeDebugPrivilege 2160 csrss.exe Token: SeDebugPrivilege 1716 csrss.exe Token: SeDebugPrivilege 1344 csrss.exe Token: SeDebugPrivilege 2064 csrss.exe Token: SeDebugPrivilege 2744 csrss.exe Token: SeDebugPrivilege 2548 csrss.exe Token: SeDebugPrivilege 2220 csrss.exe Token: SeDebugPrivilege 2932 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 3040 2104 JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe 30 PID 2104 wrote to memory of 3040 2104 JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe 30 PID 2104 wrote to memory of 3040 2104 JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe 30 PID 2104 wrote to memory of 3040 2104 JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe 30 PID 3040 wrote to memory of 2764 3040 WScript.exe 31 PID 3040 wrote to memory of 2764 3040 WScript.exe 31 PID 3040 wrote to memory of 2764 3040 WScript.exe 31 PID 3040 wrote to memory of 2764 3040 WScript.exe 31 PID 2764 wrote to memory of 2304 2764 cmd.exe 33 PID 2764 wrote to memory of 2304 2764 cmd.exe 33 PID 2764 wrote to memory of 2304 2764 cmd.exe 33 PID 2764 wrote to memory of 2304 2764 cmd.exe 33 PID 2304 wrote to memory of 2944 2304 DllCommonsvc.exe 56 PID 2304 wrote to memory of 2944 2304 DllCommonsvc.exe 56 PID 2304 wrote to memory of 2944 2304 DllCommonsvc.exe 56 PID 2304 wrote to memory of 2756 2304 DllCommonsvc.exe 57 PID 2304 wrote to memory of 2756 2304 DllCommonsvc.exe 57 PID 2304 wrote to memory of 2756 2304 DllCommonsvc.exe 57 PID 2304 wrote to memory of 2904 2304 DllCommonsvc.exe 58 PID 2304 wrote to memory of 2904 2304 DllCommonsvc.exe 58 PID 2304 wrote to memory of 2904 2304 DllCommonsvc.exe 58 PID 2304 wrote to memory of 2912 2304 DllCommonsvc.exe 59 PID 2304 wrote to memory of 2912 2304 DllCommonsvc.exe 59 PID 2304 wrote to memory of 2912 2304 DllCommonsvc.exe 59 PID 2304 wrote to memory of 3064 2304 DllCommonsvc.exe 60 PID 2304 wrote to memory of 3064 2304 DllCommonsvc.exe 60 PID 2304 wrote to memory of 3064 2304 DllCommonsvc.exe 60 PID 2304 wrote to memory of 3052 2304 DllCommonsvc.exe 61 PID 2304 wrote to memory of 3052 2304 DllCommonsvc.exe 61 PID 2304 wrote to memory of 3052 2304 DllCommonsvc.exe 61 PID 2304 wrote to memory of 2224 2304 DllCommonsvc.exe 62 PID 2304 wrote to memory of 2224 2304 DllCommonsvc.exe 62 PID 2304 wrote to memory of 2224 2304 DllCommonsvc.exe 62 PID 2304 wrote to memory of 2464 2304 DllCommonsvc.exe 63 PID 2304 wrote to memory of 2464 2304 DllCommonsvc.exe 63 PID 2304 wrote to memory of 2464 2304 DllCommonsvc.exe 63 PID 2304 wrote to memory of 1752 2304 DllCommonsvc.exe 72 PID 2304 wrote to memory of 1752 2304 DllCommonsvc.exe 72 PID 2304 wrote to memory of 1752 2304 DllCommonsvc.exe 72 PID 1752 wrote to memory of 968 1752 csrss.exe 74 PID 1752 wrote to memory of 968 1752 csrss.exe 74 PID 1752 wrote to memory of 968 1752 csrss.exe 74 PID 968 wrote to memory of 2420 968 cmd.exe 76 PID 968 wrote to memory of 2420 968 cmd.exe 76 PID 968 wrote to memory of 2420 968 cmd.exe 76 PID 968 wrote to memory of 828 968 cmd.exe 77 PID 968 wrote to memory of 828 968 cmd.exe 77 PID 968 wrote to memory of 828 968 cmd.exe 77 PID 828 wrote to memory of 2952 828 csrss.exe 78 PID 828 wrote to memory of 2952 828 csrss.exe 78 PID 828 wrote to memory of 2952 828 csrss.exe 78 PID 2952 wrote to memory of 1512 2952 cmd.exe 80 PID 2952 wrote to memory of 1512 2952 cmd.exe 80 PID 2952 wrote to memory of 1512 2952 cmd.exe 80 PID 2952 wrote to memory of 1540 2952 cmd.exe 81 PID 2952 wrote to memory of 1540 2952 cmd.exe 81 PID 2952 wrote to memory of 1540 2952 cmd.exe 81 PID 1540 wrote to memory of 1788 1540 csrss.exe 82 PID 1540 wrote to memory of 1788 1540 csrss.exe 82 PID 1540 wrote to memory of 1788 1540 csrss.exe 82 PID 1788 wrote to memory of 2344 1788 cmd.exe 84 PID 1788 wrote to memory of 2344 1788 cmd.exe 84 PID 1788 wrote to memory of 2344 1788 cmd.exe 84 PID 1788 wrote to memory of 2160 1788 cmd.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Users\All Users\csrss.exe"C:\Users\All Users\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2420
-
-
C:\Users\All Users\csrss.exe"C:\Users\All Users\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1512
-
-
C:\Users\All Users\csrss.exe"C:\Users\All Users\csrss.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2344
-
-
C:\Users\All Users\csrss.exe"C:\Users\All Users\csrss.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t3iRsZx2b7.bat"12⤵PID:2804
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2588
-
-
C:\Users\All Users\csrss.exe"C:\Users\All Users\csrss.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"14⤵PID:2776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2936
-
-
C:\Users\All Users\csrss.exe"C:\Users\All Users\csrss.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"16⤵PID:2428
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1760
-
-
C:\Users\All Users\csrss.exe"C:\Users\All Users\csrss.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"18⤵PID:3060
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1476
-
-
C:\Users\All Users\csrss.exe"C:\Users\All Users\csrss.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"20⤵PID:1628
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2572
-
-
C:\Users\All Users\csrss.exe"C:\Users\All Users\csrss.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat"22⤵PID:1804
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2664
-
-
C:\Users\All Users\csrss.exe"C:\Users\All Users\csrss.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"24⤵PID:860
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2640
-
-
C:\Users\All Users\csrss.exe"C:\Users\All Users\csrss.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD536343240e86063d692a668bb21b01596
SHA1f7bdeb9478bba8c9a038ec1c4d144818796537c1
SHA25639f76d6daf7d8b75077c7773a2876769c0d92fd079423a55d1661a0e482e2e4c
SHA5121a9cccb04c9ef76f1ed5befa0475db3a4a6b8c2fde4461da3341c0d55314e4fc00d9b23444565df07cba2069480dd44cec2eb87140a56e4c864edde279fec27c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d5248b1dce8c3e0e805694cd9268c05f
SHA12704146d75651dc6bdbbf3c918ab4e27a537663f
SHA2567879b54a4aac74cd7a6e4c8efd2054d2b1f7279b9ef2ecf9ea367a68e18c9387
SHA512796bbcf0e2d29691cfd83f6b8c24e0a419a9bd83db57777f5c58fda439e819c7840d08c0508cee6db697f45d974f6c1174cd728632e7177b113ad28e30e8d41f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fa433f0c2c57c14cc1d5678150628a01
SHA16cba2e003a32239a604bef76d09d2f6727f98678
SHA256bb1125d50bfafcac4f0cfb22c37d41e2b587691f07cd7b87c9b012b21e6b59a1
SHA512d22425c0789c936eb6ca79602b416f09dbe43b9bff268c6b6de4113b67063da91806e936505b64f1555a3bf03a9f803a388483aba2820985f5ac7b253489c492
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD541d2051df8e319864c6bc54828617715
SHA10f70658061f0eef8346e7bdc599bc433482175f4
SHA256e8269cff814148b6ad091db77eb62b5db734c56660f0d324f7a1336c12967173
SHA51209ba6825c6e3eba5884760ddc6567bad5eeb8891e10d5270e7163dd7444e184a99f7f4b29919eda5d49f0efed4e7c4dc5477269cb4d92486364a03ece06152dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54a078b7dd445c0cecdbfb0ff6020c8f5
SHA19bffdffa48ba41dbc79d44086d4579a8b8fa33b1
SHA256f9f89333238ffb50ca97236d557d82503eb66bc7ee22b4a445bbc96030644f18
SHA512f2bcbb2077a1cd760747874dbb8945745b420541a033719b485ed46a6c341e8692f3a23e5a3a802d34b733e6e86d090d99d1a7421535499ba74c09d48b4dfa5e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD524ca6cd987c63e48703a899332c64f5c
SHA1baeec591ca1b75aadaacfacad00b5e12d0a761a2
SHA256eeaca169c625536a8cbdb9271158c1cb60175d03e0e45dcc7944a220ef4b18c9
SHA512981cd8d5d348b0f303f854daaa1ae837710486f0f7e57adbcee108a07468bef63565740d56ce09c2567cf54559415f1038946ebeedae4980cdb76de9b272d9b7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd93ce8b8670973dda17c76d3da3d7be
SHA183275372781ea8b4f7e1a93be75533132d971a60
SHA256540c843bf56dbb181851e1b3a35c102869789f9573fdb7d9daad47a5a007a48b
SHA5129bf0336439e41f4fdfa26cd0d9a6d3808199c31ed0d88efefe31434fc644eca9ceb9447b76c1bc70ee5d5fa6db3029e736052727302400ff779bc4d93e2a78f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a1fcab7b656301e4e823ae5f84615052
SHA153cf4b399eb9b54be1efcb1fff8ec8a92984db68
SHA256b6fb6b18d44e15ec6d67fbfd5fc1fd9dc5fc5fa386b73b352a05004236039ae7
SHA51220a0af4b84263e44818e53c1458becc361a06dd2672410f7c02f99ea4400951c0c1028d6d7f03072d1c8b5a17de438005dfef050db9f5357be0e6627098e4699
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD565ecbc1b42e69409d83a6d9bfeb4f4d9
SHA16ae74fd6889aebc2b26810e305c947082108e75a
SHA256337a11fc2a37820ac867d205bc520bb5c2621fff55a73e5c884be9ab13e7f89d
SHA5121dee608a21b29c49290dfa7d7f40a063f48533fe02f3e786fa9438a21d24977335c37a0780484909f9b548c8136b5c9fc5c1ef9814f2980dc273d2cd22e7712c
-
Filesize
193B
MD574aac7231e3ed2944eef11d90308e555
SHA1127c858ae56d879ba8a981fef7bd10c17125c19b
SHA25610fff75fa092192134d6c5d82378294a7734235e12de7c0ffcfc82e03fb574b3
SHA512e0271e4bd87303938b873bc3d63e4139f1a799289bbf61914fa89079d86d7f34b97b600668689fb785e684b1dfa3e19445b83f0918809519d5c4f711b242fb3c
-
Filesize
193B
MD5c77427d22f995b8582cef2f0b05308f3
SHA1a263930fb05324ea96afcf5a48cac6cdab9b3f80
SHA2563c955d582c07cf0a9b6b597bfb9c695839040c997ee7d827c663db49ea66d64b
SHA5121acbf9e208ae27bd9b2129d5c9d4dde0513fb1fc8ab9144efc2ba67d7c05cfd7fcaa8174f5afc20d9e7efbcc80ba17fa056d3db4d5ca69f83a30609d45c19fc3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
193B
MD5e8c84858824846011bebbcc0a13973b8
SHA13e5c53913fc86462f5143995f1443b5bcda7eb9d
SHA256051d8e3dd11718f49c85fda2ea9b62ffddc03fbcab20f8cf359cc6b4f2779d0a
SHA512b83d6aef7b73e781ca14d8e54094457561aa33c47645e8887ab228aed76b4f798ada95ea84dee11433e2a53c988a9c70841c72ebb67327817a63e5a65c746623
-
Filesize
193B
MD5d9252b0174fcdeab39ec08e79ca980a4
SHA114de7548c84dac289d3fe43d10262a1668b6241b
SHA2562afa1405d61a97b2319bcc0c809b73006f198e9982a61e1c073f67a9441aad40
SHA51248e21ed25e420851167decd210ee2dcaa38ea140e5b095077ce2c3acb4e72deac6c95781becba194f4568187bd7a4f9dc3b1fe7beca767015dac16a4a0999b4b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
193B
MD57bf66459847d25e4236dcd6fcbb68279
SHA16a6b0b0cd249b7eafc77231667a206cbc15b0dd6
SHA256245dee64707a266646cdb16adc037276fcdda88a4788c5cfc76e15bdc8dc085a
SHA512f132cafb51d0f394e20e52e2cf887c23bfec87143e34c8842af8f55adc7972ebee5e73520202dde55177eaee3ed874e415fe1e01a43488504aa053ef96decb50
-
Filesize
193B
MD5c46485ce984bbc159bafebd21a82c25e
SHA1c3864ced499593aa0f4c7b5c26c46a332f94c85a
SHA256765246493ae97a3d5e3c497e74f6e5f03ce90621e30248916f6e99f475564bad
SHA51285fe517423f45d2a3aa7a1fa9eb77d6862cdd1aa24e9453f9abf9fa0f087d03943ae3d8d719b597dac0ebd51f33c64e360b53445435fe62f9d0bab16bfebf20f
-
Filesize
193B
MD5fefb94c0c494f258b80108b225ed9534
SHA11b02147ad61dc78c3a76877f32c5c359d6829dfd
SHA2565b183b91aedba319c64e0a793b504807020f11c1cd09a1e7d1d42ba2bb3f0006
SHA5124b20cf0ec8c36c09b165b4c38259fc86539ec47f3c0940da291a7c36ec285a47396331d2a0825023dae6d8ec8ed9e1bc405c99122788feae7e5877d2515dfc83
-
Filesize
193B
MD5233ab68f5769aa682a6c3fc3ec59e715
SHA1d88772ca79e1c2041c827a0c173b18cbe7fb9aad
SHA25669cf814faed4bdecc8ddfe4d2fa27d7e9146f635e561973cf39ea1d03339f64f
SHA5120bcead9324320826259491a31c858f43c0feb901f32ef60541e97c8e4a325ff5e389affb879a7506f0cc27db34020593748d09c26efac7085aa4920b52681f01
-
Filesize
193B
MD5e489896005ef5343e4a2044b0ed5f03b
SHA14a1ec82c67b3b117eb6b3f22a16a9f4628556452
SHA256d07f0ccde54fbbad33443b2498340e0de0389898bf6f8a0fbc0db79a8834300f
SHA51294463a639bc9041b89cea0d7c730b7ad1b1dd7fdbc79c7454ec9af1d1fa4e36cd7923081ee481cfaf10f83c74b4f1b6310f38fb9ad8a487faa96ce97ab6156c2
-
Filesize
193B
MD5434538583f47f065f281d791a6602b2f
SHA1fb3e9e6017226b4acda4266e24250171bbbb7cbd
SHA256740444187e3fb367c3be5c8e93ec3dfa46ecb0d0035cfeb1ccc0c24808c0e7c4
SHA5129afb17d5ed509b4e15a8944ed5926561ccf94c331fb58e9949b1a5c2987ac3f2afb2ae6c27690abd5bd52f325e6b80481859408b6439605c8430b9ad4f09264b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fb7d1b0192e8a0cdfbf016a1fdc65f6c
SHA1168119c030aad7cb6a93e361e72b9a0cca801680
SHA2567bc004b0bafae410c66fd3c067a88b8e874cd7c013b620f4d912449a4cb93e46
SHA512c98d45885d5180a01f0268a16d2cc6b23528bad9551a5c8354020e079fc98ed991c35b45703de005aa2aba359358742336d71685ee81345f16c60d470ee2d27d
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478