Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 01:12
Behavioral task
behavioral1
Sample
JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe
-
Size
1.3MB
-
MD5
fd4723d4daed5b787199a3d5e21040b5
-
SHA1
533cff7711b4d262509260280227fcb0d0433b67
-
SHA256
cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5
-
SHA512
821cc704eaacd6cdf1891a382629ada668952d151bdd30acc8e657bcf50d6cdd1c2f9e584cbf99a40e53af726600ac7ab413ed4f3c42a90cf805b089dd043cf9
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 340 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2656 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2656 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000016cab-9.dat dcrat behavioral1/memory/2724-13-0x0000000000D30000-0x0000000000E40000-memory.dmp dcrat behavioral1/memory/2120-59-0x0000000000C40000-0x0000000000D50000-memory.dmp dcrat behavioral1/memory/1812-375-0x0000000000DC0000-0x0000000000ED0000-memory.dmp dcrat behavioral1/memory/2200-435-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/1564-495-0x00000000010B0000-0x00000000011C0000-memory.dmp dcrat behavioral1/memory/2336-555-0x00000000013E0000-0x00000000014F0000-memory.dmp dcrat behavioral1/memory/2724-615-0x0000000000060000-0x0000000000170000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1908 powershell.exe 1076 powershell.exe 2716 powershell.exe 2248 powershell.exe 1484 powershell.exe 1332 powershell.exe 2096 powershell.exe 2028 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2724 DllCommonsvc.exe 2120 Idle.exe 1728 Idle.exe 2224 Idle.exe 1460 Idle.exe 1648 Idle.exe 1812 Idle.exe 2200 Idle.exe 1564 Idle.exe 2336 Idle.exe 2724 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 868 cmd.exe 868 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 30 raw.githubusercontent.com 37 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 34 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cc11b995f2a76d DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Web\Wallpaper\Landscapes\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\addins\lsass.exe DllCommonsvc.exe File created C:\Windows\addins\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\Web\Wallpaper\Landscapes\spoolsv.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2676 schtasks.exe 320 schtasks.exe 2820 schtasks.exe 1464 schtasks.exe 2396 schtasks.exe 2792 schtasks.exe 1984 schtasks.exe 1152 schtasks.exe 3004 schtasks.exe 1628 schtasks.exe 2380 schtasks.exe 2684 schtasks.exe 2604 schtasks.exe 340 schtasks.exe 2720 schtasks.exe 1288 schtasks.exe 3008 schtasks.exe 1104 schtasks.exe 656 schtasks.exe 2984 schtasks.exe 2800 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2724 DllCommonsvc.exe 2096 powershell.exe 2028 powershell.exe 2716 powershell.exe 2248 powershell.exe 1332 powershell.exe 1908 powershell.exe 1484 powershell.exe 1076 powershell.exe 2120 Idle.exe 1728 Idle.exe 2224 Idle.exe 1460 Idle.exe 1648 Idle.exe 1812 Idle.exe 2200 Idle.exe 1564 Idle.exe 2336 Idle.exe 2724 Idle.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2724 DllCommonsvc.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeDebugPrivilege 1332 powershell.exe Token: SeDebugPrivilege 2120 Idle.exe Token: SeDebugPrivilege 1908 powershell.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 1728 Idle.exe Token: SeDebugPrivilege 2224 Idle.exe Token: SeDebugPrivilege 1460 Idle.exe Token: SeDebugPrivilege 1648 Idle.exe Token: SeDebugPrivilege 1812 Idle.exe Token: SeDebugPrivilege 2200 Idle.exe Token: SeDebugPrivilege 1564 Idle.exe Token: SeDebugPrivilege 2336 Idle.exe Token: SeDebugPrivilege 2724 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2536 2272 JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe 31 PID 2272 wrote to memory of 2536 2272 JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe 31 PID 2272 wrote to memory of 2536 2272 JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe 31 PID 2272 wrote to memory of 2536 2272 JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe 31 PID 2536 wrote to memory of 868 2536 WScript.exe 32 PID 2536 wrote to memory of 868 2536 WScript.exe 32 PID 2536 wrote to memory of 868 2536 WScript.exe 32 PID 2536 wrote to memory of 868 2536 WScript.exe 32 PID 868 wrote to memory of 2724 868 cmd.exe 34 PID 868 wrote to memory of 2724 868 cmd.exe 34 PID 868 wrote to memory of 2724 868 cmd.exe 34 PID 868 wrote to memory of 2724 868 cmd.exe 34 PID 2724 wrote to memory of 2716 2724 DllCommonsvc.exe 57 PID 2724 wrote to memory of 2716 2724 DllCommonsvc.exe 57 PID 2724 wrote to memory of 2716 2724 DllCommonsvc.exe 57 PID 2724 wrote to memory of 2248 2724 DllCommonsvc.exe 58 PID 2724 wrote to memory of 2248 2724 DllCommonsvc.exe 58 PID 2724 wrote to memory of 2248 2724 DllCommonsvc.exe 58 PID 2724 wrote to memory of 1484 2724 DllCommonsvc.exe 59 PID 2724 wrote to memory of 1484 2724 DllCommonsvc.exe 59 PID 2724 wrote to memory of 1484 2724 DllCommonsvc.exe 59 PID 2724 wrote to memory of 1332 2724 DllCommonsvc.exe 61 PID 2724 wrote to memory of 1332 2724 DllCommonsvc.exe 61 PID 2724 wrote to memory of 1332 2724 DllCommonsvc.exe 61 PID 2724 wrote to memory of 1908 2724 DllCommonsvc.exe 62 PID 2724 wrote to memory of 1908 2724 DllCommonsvc.exe 62 PID 2724 wrote to memory of 1908 2724 DllCommonsvc.exe 62 PID 2724 wrote to memory of 2028 2724 DllCommonsvc.exe 63 PID 2724 wrote to memory of 2028 2724 DllCommonsvc.exe 63 PID 2724 wrote to memory of 2028 2724 DllCommonsvc.exe 63 PID 2724 wrote to memory of 2096 2724 DllCommonsvc.exe 65 PID 2724 wrote to memory of 2096 2724 DllCommonsvc.exe 65 PID 2724 wrote to memory of 2096 2724 DllCommonsvc.exe 65 PID 2724 wrote to memory of 1076 2724 DllCommonsvc.exe 67 PID 2724 wrote to memory of 1076 2724 DllCommonsvc.exe 67 PID 2724 wrote to memory of 1076 2724 DllCommonsvc.exe 67 PID 2724 wrote to memory of 2120 2724 DllCommonsvc.exe 73 PID 2724 wrote to memory of 2120 2724 DllCommonsvc.exe 73 PID 2724 wrote to memory of 2120 2724 DllCommonsvc.exe 73 PID 2120 wrote to memory of 1932 2120 Idle.exe 74 PID 2120 wrote to memory of 1932 2120 Idle.exe 74 PID 2120 wrote to memory of 1932 2120 Idle.exe 74 PID 1932 wrote to memory of 1752 1932 cmd.exe 76 PID 1932 wrote to memory of 1752 1932 cmd.exe 76 PID 1932 wrote to memory of 1752 1932 cmd.exe 76 PID 1932 wrote to memory of 1728 1932 cmd.exe 77 PID 1932 wrote to memory of 1728 1932 cmd.exe 77 PID 1932 wrote to memory of 1728 1932 cmd.exe 77 PID 1728 wrote to memory of 2400 1728 Idle.exe 78 PID 1728 wrote to memory of 2400 1728 Idle.exe 78 PID 1728 wrote to memory of 2400 1728 Idle.exe 78 PID 2400 wrote to memory of 1800 2400 cmd.exe 80 PID 2400 wrote to memory of 1800 2400 cmd.exe 80 PID 2400 wrote to memory of 1800 2400 cmd.exe 80 PID 2400 wrote to memory of 2224 2400 cmd.exe 81 PID 2400 wrote to memory of 2224 2400 cmd.exe 81 PID 2400 wrote to memory of 2224 2400 cmd.exe 81 PID 2224 wrote to memory of 2248 2224 Idle.exe 82 PID 2224 wrote to memory of 2248 2224 Idle.exe 82 PID 2224 wrote to memory of 2248 2224 Idle.exe 82 PID 2248 wrote to memory of 2396 2248 cmd.exe 84 PID 2248 wrote to memory of 2396 2248 cmd.exe 84 PID 2248 wrote to memory of 2396 2248 cmd.exe 84 PID 2248 wrote to memory of 1460 2248 cmd.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Landscapes\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Users\Default\Pictures\Idle.exe"C:\Users\Default\Pictures\Idle.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1752
-
-
C:\Users\Default\Pictures\Idle.exe"C:\Users\Default\Pictures\Idle.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1800
-
-
C:\Users\Default\Pictures\Idle.exe"C:\Users\Default\Pictures\Idle.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2396
-
-
C:\Users\Default\Pictures\Idle.exe"C:\Users\Default\Pictures\Idle.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"12⤵PID:1488
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1620
-
-
C:\Users\Default\Pictures\Idle.exe"C:\Users\Default\Pictures\Idle.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"14⤵PID:1164
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2976
-
-
C:\Users\Default\Pictures\Idle.exe"C:\Users\Default\Pictures\Idle.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"16⤵PID:3028
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2592
-
-
C:\Users\Default\Pictures\Idle.exe"C:\Users\Default\Pictures\Idle.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"18⤵PID:2232
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2872
-
-
C:\Users\Default\Pictures\Idle.exe"C:\Users\Default\Pictures\Idle.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"20⤵PID:2196
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1992
-
-
C:\Users\Default\Pictures\Idle.exe"C:\Users\Default\Pictures\Idle.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"22⤵PID:1660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2020
-
-
C:\Users\Default\Pictures\Idle.exe"C:\Users\Default\Pictures\Idle.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"24⤵PID:2468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2508
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\addins\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Pictures\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Landscapes\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Landscapes\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Landscapes\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\My Videos\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ccb8d1995a6c3a623d7f219aca4694a8
SHA1ede680b25c5bf94711d74376421e2672ef8e328b
SHA256a8a7151d98037b85f42f2f40bcee4f0027b4d08cd516c021f785d37ebb7eb6ac
SHA51244053bdfac0f4f3c7362fc7811a627ffb2a17129d2083ab04d200409b2b645ed561b8676060c2ef156d671e9fb4589e98e1bbb7699c22998e8752991a3b9b37c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dfcbc9db71a233c86c5f8729294a9d66
SHA180fc366ad5008ca8be9bdc685e1b69c00499f8cb
SHA2567cb5780a2ed1a1dd9d2ec1d1ca16050e14d1602eca4e688f7ec170ae6b5df2fe
SHA512d85b9ebb6355ee1de45a67bec7df517f1a2b3c4cb43c7d9359940028f9d0e2e0ce95bf0f988d85cc46dd46cc602616fb256d8e21ee0683564ddf78e00ce3d7a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD506d5d97d433419badd4fe0852d540b8e
SHA12dd088d40784830a619147f88e0986a83c5e571d
SHA256ee25e709f8ab77014dc5955660199f4f2fae39ea402888648bbc001b16cd9f5a
SHA512e6ab287ee3e4da59cd8f2eff2ac9a03ec56e1a9426c7800c11b6c8ee59d57a63637a00d6cb41d12dc2d6260bbccbad1a6f9fa8ed5f1b1b465373ead2694769a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50ae681eefb3bfc797725566aaf3edf78
SHA1988aa723974e063e4bf5898f2ec3197e9550114c
SHA2567bffd5d667db91eb92e0a52861716eabf4bf311aca6785dc671e1730a09065ee
SHA5122ced92af2e90302e7fb5ff44b78b3847a427430a7c755c86932370672170bf44887636f758c3f56bc4586d416aef64c3d2a0c11036712095a0841cb038dbd6ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58c9ee2e46bfefe48494e88f7917119fd
SHA1ae7867dcbac9994f696cb2316e805053c64a91b4
SHA256e6221ec4a2fd94b183db7b1e36a627237c0fd8463370024e3241e9da4b4ec8df
SHA5128d4a1fc5093e900d708ce0604ce810358b656c01ab8c0a800a47f6fe3b8da78360adfaed604f610cab830b089ce2f1f4c3d9f6dae3b848ad0be577d8b68dc98b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c10acb9f9ad65a93b73b59cd97ab9400
SHA1cd58dfabefb8b2bd1039f3be9ee7bccb9e102009
SHA256733120764c9e39b0dda2d90c69b5291464326f9aadda74d18da0055fe76ca612
SHA512d72578e8479b9925428fe3789307e9d18606ba3ed185cdf7931655d65e9145a0cb35b96a26ac306c77923c04c34f67143139ff94c187e8ad4060b7d71675b5e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56f7586076faa6bb2fe1f3931f937614e
SHA173256ba78fe2d3a534604ff10466b1151eca8ff9
SHA25673d6b80c5d22d29ba39f79d5bb699b9d0f08c4b2a329e67e3c6de5496cb007fb
SHA512633616baf59975e4793216482f4e0a8151c2342bc1740044aa527c96c5fb80d07a65e81b65d99bb1e3e6665ec02ed050ff69f1a2218419d440344ba1a451ef1c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56087b98eb333ba0b94b1d3f9f96773ee
SHA120f8639e114e07f91a84f40c553b22801f1ae01c
SHA2566c9514efd33f46ef6d1c5295170d08493a2bfe2f0c65354c8c400761c796b96d
SHA51271b602fb17cb8d82434164588a9fe83eb7fca84d78c3eb674d1afd57627cbf15c9df35bca1451de023067804567c5511407db35def11713e307a7826b4174ec9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5200b1e2ff23dc64d297159a84b20cb57
SHA11c5a4697c5761487381e64dc5e4ec6ea44355c57
SHA2569f61c7033d0f0a204b67682ba39a4cda34c802e737543808a13bb4a82de58ce2
SHA51245ae775af7e55817c61d2c70dfa2adb82771412979acc99748ddca388b6bbbbab8ef31c0b6c32490bcd239ef46853cb6362bf5f9444bf447b7f9efa03ef10cb9
-
Filesize
199B
MD5eda96f93e42ee90944367e73b221e709
SHA176e30522f04c842e99ba94a2b6a8e79105445531
SHA256ccb23a6f7a97e52c646554d3566da247322776d898f009f17000752815e043b9
SHA512db79b0c020b97a05cf186afe56bddf9a2588ea36e8479993d058121d0fa0f79868c71b3d421df9776c5bb57739caa1896da816b05c2367d8977924db2f9553c3
-
Filesize
199B
MD51a9c44ae4f72eea2fbe6f15173b0d2f6
SHA1520dffac5ab1b7785447cd97f3ea70350016bec0
SHA2561b95eca519943b6a47415b0263fe9ded2fc5d6b1da17992fa6b5a1287bf823b5
SHA5120a4dbcf6d2772687f026e7cf2e40b3c09c9735f184dc7819bfa138532001d9bfc7bba4dde5bd9bfe391788db71eefb2d6b4e8d4747dc7e3695629ee01ac838c2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
199B
MD5ac73b576c772de122200a2ddd6f36bbb
SHA1a1331d656238e35fd73e27769e0f7fd579f18318
SHA256c90ce04b696227576c2dcfc72f1ee85e10a9e17667df59cd2e4ee246be68b55e
SHA51265515aba6caa79e872c18da41ab28f631d379c2540f0c91a027e8b56d7bba16c81578a40c4a69ae335b182462e97cd5cfebeeebf380142cd2cd51ba67a7016c5
-
Filesize
199B
MD5b7e17d7f9168c9de867ef63763788dce
SHA15d2d65a965b95a2cf4ae08df083248a7723f68fc
SHA256563f5d550de0fe528320a7d123068eebe9b5fb2ee63244f1cfac732182d79dfa
SHA512cfab84382c7d7d23b31923fec7092718823b8684e63f5469c9352363494829c7f60905c9e155b9b1029c12624822ace79ff390e83e622bc9107465719709b301
-
Filesize
199B
MD5667a5dd13ca4d14de9aeab50409c5b55
SHA1d7a247ca0a2a4b39ad749846b1a1cdf9cb175043
SHA256bcaed8726665e399e7ffad34005943ca09378b28b7b0d783c2f2956b26903d62
SHA5128c6876af7440e74581a0383377a89eaac0b2167581e148500a37913f6712e621b0bc12d1ffce573f38719403b3ad13552da35fc1b7b044c78fed9e5875592b9c
-
Filesize
199B
MD560855d5b05e5262be48e3c5ef411d3f9
SHA1c994ea4e9ed7a72996e528dab778e5a7c849b932
SHA2563cb6a0b1466cff7240ff0495f19c95487c360eef0a151e32941e27d2cc0dd9fc
SHA51250e680e16947510eac9e5b2079054acae67f5a3f81b2c2918e534f4e9109baf2f70b895f4b31dc3bee1a59ff44e5fad7ba9f4442154486ab17343047beed8ebb
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
199B
MD55596750ff9516c8088e55917bc66a956
SHA1b41a4ea71fb33d7a60934ba0b451269e82576407
SHA256e001ce3cabde638a02b15488ef7b1364bd430e94332ef61bea993e629c91b436
SHA512d3be53c1c286991874a8674c798aacee827171d7cbd36e0815c8fb9f849fb32c50a052d62e37fc21a02a068ba3f59f1a2fc033b5895127462b532da43be1e308
-
Filesize
199B
MD592f7e17b0ae38db15e9727ed500babaf
SHA14021b7b47807d5eeb548e5b9d5b4a2ddf2b5740a
SHA25600b1d3ea72e00bec3d99c29f6df2f1f0628ac018e74fd08e55fb73a34ea3c284
SHA5126f101b3f69fe968f33171c218e5e7491393f1b24f4ab3b9a958d24607a43d408f45898cde306a6fe7e939f5c1893ef5a8574188f82958da78d4daf91ac12908a
-
Filesize
199B
MD5cdc07998f79ce084d12bf5d4d53b3f2f
SHA1248e542d3770484f38db8ec6ac691b1f28fc15f3
SHA2565a1b60de1a642023b97a76b132bcc2f6aaf84a729fba28017f2570182ad4859e
SHA512ec3ddc1696f77421aba53fd055780c593305dc7d4314f029a0a32bde0c29f49cb3d7168f03d4ec9d7b4509707aa5f58386178f497c1d6bcd041664874982f5e2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD543c87ca0437e53b4d8ffc6f8fed2765f
SHA10ae51a4ed9746f520c0062b3dacac3506ffd838b
SHA256881e89a48d0e5765a7e434e9af73f9391d9e05d8bee7de59a8be1237236db38e
SHA512262d98ce3cd246ed04bd151b22f8fc5738869803e373ea68bd893727483f63776cd99cf20b1f0fba6ddce48d1f1c657a95b07805750a9c7a8c8d80ca238a0a6e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394