Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:41
Behavioral task
behavioral1
Sample
JaffaCakes118_233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a.exe
-
Size
1.3MB
-
MD5
70699415fbf2bae7812609534d511320
-
SHA1
2c3258cc81f72281346d98c4fc7f2ecf9126b04b
-
SHA256
233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a
-
SHA512
ef4d4e77895eec4a0157dccc9a433e05f4fb12f61e94a0373ebaafd95c5b02f0dd7a7ec59599a22b39c3ccd44706f079a93050559573efc887e935edf76b5fe0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2792 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016c88-9.dat dcrat behavioral1/memory/2848-13-0x0000000000130000-0x0000000000240000-memory.dmp dcrat behavioral1/memory/2104-93-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/2808-152-0x00000000001C0000-0x00000000002D0000-memory.dmp dcrat behavioral1/memory/2640-212-0x0000000001380000-0x0000000001490000-memory.dmp dcrat behavioral1/memory/1592-275-0x00000000010A0000-0x00000000011B0000-memory.dmp dcrat behavioral1/memory/2704-336-0x00000000000C0000-0x00000000001D0000-memory.dmp dcrat behavioral1/memory/1836-396-0x0000000000990000-0x0000000000AA0000-memory.dmp dcrat behavioral1/memory/2724-456-0x0000000000CF0000-0x0000000000E00000-memory.dmp dcrat behavioral1/memory/1760-516-0x0000000001030000-0x0000000001140000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1824 powershell.exe 840 powershell.exe 1816 powershell.exe 748 powershell.exe 696 powershell.exe 2040 powershell.exe 552 powershell.exe 1072 powershell.exe 648 powershell.exe 2600 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2848 DllCommonsvc.exe 2104 wininit.exe 2808 wininit.exe 2640 wininit.exe 492 wininit.exe 1592 wininit.exe 2704 wininit.exe 1836 wininit.exe 2724 wininit.exe 1760 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 2036 cmd.exe 2036 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com 4 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 25 raw.githubusercontent.com -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\assembly\42af1c969fbb7b DllCommonsvc.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe DllCommonsvc.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\088424020bedd6 DllCommonsvc.exe File created C:\Windows\assembly\audiodg.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2980 schtasks.exe 2632 schtasks.exe 2780 schtasks.exe 2712 schtasks.exe 2508 schtasks.exe 1140 schtasks.exe 1876 schtasks.exe 1952 schtasks.exe 3040 schtasks.exe 2696 schtasks.exe 1612 schtasks.exe 1956 schtasks.exe 1028 schtasks.exe 2260 schtasks.exe 2492 schtasks.exe 1432 schtasks.exe 2760 schtasks.exe 2856 schtasks.exe 3048 schtasks.exe 580 schtasks.exe 752 schtasks.exe 2764 schtasks.exe 1740 schtasks.exe 3044 schtasks.exe 820 schtasks.exe 2836 schtasks.exe 2524 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2848 DllCommonsvc.exe 1824 powershell.exe 1072 powershell.exe 1816 powershell.exe 2040 powershell.exe 648 powershell.exe 552 powershell.exe 696 powershell.exe 840 powershell.exe 2600 powershell.exe 748 powershell.exe 2104 wininit.exe 2808 wininit.exe 2640 wininit.exe 1592 wininit.exe 2704 wininit.exe 1836 wininit.exe 2724 wininit.exe 1760 wininit.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2848 DllCommonsvc.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 648 powershell.exe Token: SeDebugPrivilege 552 powershell.exe Token: SeDebugPrivilege 696 powershell.exe Token: SeDebugPrivilege 840 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 748 powershell.exe Token: SeDebugPrivilege 2104 wininit.exe Token: SeDebugPrivilege 2808 wininit.exe Token: SeDebugPrivilege 2640 wininit.exe Token: SeDebugPrivilege 1592 wininit.exe Token: SeDebugPrivilege 2704 wininit.exe Token: SeDebugPrivilege 1836 wininit.exe Token: SeDebugPrivilege 2724 wininit.exe Token: SeDebugPrivilege 1760 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2616 wrote to memory of 2604 2616 JaffaCakes118_233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a.exe 30 PID 2616 wrote to memory of 2604 2616 JaffaCakes118_233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a.exe 30 PID 2616 wrote to memory of 2604 2616 JaffaCakes118_233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a.exe 30 PID 2616 wrote to memory of 2604 2616 JaffaCakes118_233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a.exe 30 PID 2604 wrote to memory of 2036 2604 WScript.exe 31 PID 2604 wrote to memory of 2036 2604 WScript.exe 31 PID 2604 wrote to memory of 2036 2604 WScript.exe 31 PID 2604 wrote to memory of 2036 2604 WScript.exe 31 PID 2036 wrote to memory of 2848 2036 cmd.exe 33 PID 2036 wrote to memory of 2848 2036 cmd.exe 33 PID 2036 wrote to memory of 2848 2036 cmd.exe 33 PID 2036 wrote to memory of 2848 2036 cmd.exe 33 PID 2848 wrote to memory of 2040 2848 DllCommonsvc.exe 62 PID 2848 wrote to memory of 2040 2848 DllCommonsvc.exe 62 PID 2848 wrote to memory of 2040 2848 DllCommonsvc.exe 62 PID 2848 wrote to memory of 1824 2848 DllCommonsvc.exe 63 PID 2848 wrote to memory of 1824 2848 DllCommonsvc.exe 63 PID 2848 wrote to memory of 1824 2848 DllCommonsvc.exe 63 PID 2848 wrote to memory of 748 2848 DllCommonsvc.exe 64 PID 2848 wrote to memory of 748 2848 DllCommonsvc.exe 64 PID 2848 wrote to memory of 748 2848 DllCommonsvc.exe 64 PID 2848 wrote to memory of 648 2848 DllCommonsvc.exe 65 PID 2848 wrote to memory of 648 2848 DllCommonsvc.exe 65 PID 2848 wrote to memory of 648 2848 DllCommonsvc.exe 65 PID 2848 wrote to memory of 1072 2848 DllCommonsvc.exe 66 PID 2848 wrote to memory of 1072 2848 DllCommonsvc.exe 66 PID 2848 wrote to memory of 1072 2848 DllCommonsvc.exe 66 PID 2848 wrote to memory of 552 2848 DllCommonsvc.exe 67 PID 2848 wrote to memory of 552 2848 DllCommonsvc.exe 67 PID 2848 wrote to memory of 552 2848 DllCommonsvc.exe 67 PID 2848 wrote to memory of 840 2848 DllCommonsvc.exe 68 PID 2848 wrote to memory of 840 2848 DllCommonsvc.exe 68 PID 2848 wrote to memory of 840 2848 DllCommonsvc.exe 68 PID 2848 wrote to memory of 1816 2848 DllCommonsvc.exe 69 PID 2848 wrote to memory of 1816 2848 DllCommonsvc.exe 69 PID 2848 wrote to memory of 1816 2848 DllCommonsvc.exe 69 PID 2848 wrote to memory of 2600 2848 DllCommonsvc.exe 70 PID 2848 wrote to memory of 2600 2848 DllCommonsvc.exe 70 PID 2848 wrote to memory of 2600 2848 DllCommonsvc.exe 70 PID 2848 wrote to memory of 696 2848 DllCommonsvc.exe 71 PID 2848 wrote to memory of 696 2848 DllCommonsvc.exe 71 PID 2848 wrote to memory of 696 2848 DllCommonsvc.exe 71 PID 2848 wrote to memory of 1112 2848 DllCommonsvc.exe 82 PID 2848 wrote to memory of 1112 2848 DllCommonsvc.exe 82 PID 2848 wrote to memory of 1112 2848 DllCommonsvc.exe 82 PID 1112 wrote to memory of 492 1112 cmd.exe 85 PID 1112 wrote to memory of 492 1112 cmd.exe 85 PID 1112 wrote to memory of 492 1112 cmd.exe 85 PID 1112 wrote to memory of 2104 1112 cmd.exe 86 PID 1112 wrote to memory of 2104 1112 cmd.exe 86 PID 1112 wrote to memory of 2104 1112 cmd.exe 86 PID 2104 wrote to memory of 1948 2104 wininit.exe 87 PID 2104 wrote to memory of 1948 2104 wininit.exe 87 PID 2104 wrote to memory of 1948 2104 wininit.exe 87 PID 1948 wrote to memory of 2156 1948 cmd.exe 89 PID 1948 wrote to memory of 2156 1948 cmd.exe 89 PID 1948 wrote to memory of 2156 1948 cmd.exe 89 PID 1948 wrote to memory of 2808 1948 cmd.exe 90 PID 1948 wrote to memory of 2808 1948 cmd.exe 90 PID 1948 wrote to memory of 2808 1948 cmd.exe 90 PID 2808 wrote to memory of 744 2808 wininit.exe 91 PID 2808 wrote to memory of 744 2808 wininit.exe 91 PID 2808 wrote to memory of 744 2808 wininit.exe 91 PID 744 wrote to memory of 2876 744 cmd.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbUpz34cjT.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:492
-
-
C:\MSOCache\All Users\wininit.exe"C:\MSOCache\All Users\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2156
-
-
C:\MSOCache\All Users\wininit.exe"C:\MSOCache\All Users\wininit.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2876
-
-
C:\MSOCache\All Users\wininit.exe"C:\MSOCache\All Users\wininit.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"11⤵PID:2452
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1424
-
-
C:\MSOCache\All Users\wininit.exe"C:\MSOCache\All Users\wininit.exe"12⤵
- Executes dropped EXE
PID:492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"13⤵PID:1372
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1144
-
-
C:\MSOCache\All Users\wininit.exe"C:\MSOCache\All Users\wininit.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"15⤵PID:1700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2816
-
-
C:\MSOCache\All Users\wininit.exe"C:\MSOCache\All Users\wininit.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"17⤵PID:2420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1728
-
-
C:\MSOCache\All Users\wininit.exe"C:\MSOCache\All Users\wininit.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"19⤵PID:2112
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:916
-
-
C:\MSOCache\All Users\wininit.exe"C:\MSOCache\All Users\wininit.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"21⤵PID:1996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2156
-
-
C:\MSOCache\All Users\wininit.exe"C:\MSOCache\All Users\wininit.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\assembly\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59a5ec167827f4eef604bc3e6bfd7f03d
SHA1327a41e05c771c7fea07645eabb2aa6052d4a0a0
SHA256a8e48a7e068f93e1282ea2a75b5a440865bf446ba8de15ea3d7ca86219b8fca9
SHA512671bd491070043a4008bfaad140875b8b6abc5407f3760a2fa14ee45f8d0e12a933b5cddfc6259dcc3a06a5e87982655a570789a7a167b8d4a90d091a7cac9a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dac806a8d6588f5301feb5f784d20035
SHA1c3fc23544cb71de09b609036e9888aa4015e9be1
SHA256dfcf8fb48d7b4ac743013c4930fd1125548284acf581a5577ebb3fd46fcfb305
SHA512e1c39aba64300017bd4d6ce974f8c995c6c48a72cb3594e08c4e8e86c3962806b81a1badb2a10c489e3250a955ade11719c2ee20d4c2862d0b2b5f43173c6add
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54dd74bd643469b48d53b8603da3aa4a4
SHA162a9826eb8a3f27cc82a0766c5b358bed15f0e97
SHA256bd70c791ccc8767135fe1b87bd75a1ae6116af99ba7bb57f3569e0cc98a3a44c
SHA5121c88d2f078ce7cd203de728e03bff9cdc6f988f56b3c5db7169e163b468c312a1b54eea6c1374aa606d96c375a52be5c95210bc41a56a18e156c27fe4138c8ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5358a6eb97ae440374325121230418dde
SHA1306c4025c363b35b9f632f1b774ea8d5c613ca3b
SHA25632e0b86878a7f4f8734de2a081817954b61abb47da1f856a5a681faa3741533a
SHA51277fe88aa982c0feb15279b192f75ba0882341e7cd259b760e555fa9962ee9518498e8873c0fc42a80cca480ad099f634fc918eedee7540f491124abe3797f2a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD547d6d69d57d49771055f476715da6d79
SHA146707e479760c53cc7ee8788e077f94dfca98bae
SHA256c22eab2f13d426916debbb71db252ba3243d7b3ddd80d224875b63f8a78ea817
SHA5122ee7d20da5218817e1b24a5e34d5cbb2792f0035bf6631891d71b513534c96dd3b1c3ecb49d496020a84b56cfe20658ad1d2350b24eb075859ba64f685aada9a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59ccba01ca69caaae6050efa8afb67a6c
SHA189d4b91e0597db358c95c8c72e17c2aad3b91f5f
SHA256ff93e357dfbbeca4de6dd4ab9453f35f1db0e115d6022fa03a08a57f904707c7
SHA5124ad1cb34928a6489e8ba2d3b6d75b840b538955a86b4553df71f8ade20b5e63ca69fb7b902b13b4b785064870e11e4e870d666ded80653d3d091c054f0081e1c
-
Filesize
198B
MD5d70c8a604a2bdae6dbaf873edddd6f7c
SHA1875bd74cf9baf6665f8f10f4558791e893e84dc8
SHA256c617447157d215a94501226dd2d75f980ae0939189f01fe9e7182ebe819cf321
SHA5125315aca98558f2c391a843d93cc2fae06b0f9e4c5c82d5b29d28f9431e6c65b4fd2fe9ec2e7c74c666a53afcd46b46171de6ad652b8aa0a787410735f6757286
-
Filesize
198B
MD5e075f9722db5606f6db4dfc629094eec
SHA153938c2f5618ae37b0570c7b536f5c3328a2e9ea
SHA2561aebd063c39ecd46bcb4acc47762fef0ae32a4bba13e4d2e61d3dbba7ebb6212
SHA51289a3132f63d1ddbde6d3d85844f174f599b4936cc3edcb50dcf28e64557057892cc1a95f4a3e4b78156bb7216f577841baedcfda503643074e01e600e09fbf7b
-
Filesize
198B
MD55a8c34c7e788586cdaf59f47307d4cf5
SHA152fa33810d5cac0d742738fa68998cac5189a35e
SHA2568d363d494f030519978aa6fe909ebc4ced7b39f5bf1168872d9921ff59e421fe
SHA5121395e6bb8b89a5e203c55ddda8669b52c8b64e6c5f89e6a12da2649761d0d5fd3a1129208a914fa24e253eb3dde7010d81ee5ab6b94d4a3ef0f995a5a3cf717a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
198B
MD5ef148d04b04847f53f804e6d7b16b5aa
SHA1f1931313604d3764d0c13914d4b73a13300054e9
SHA2567bfe6e268e4e6cdf42170d5cbd6e99b40fe219aaf741588ce6f45d9fefdca81d
SHA51202cef5e6a921cb0c04ca99dd38a18039139648c782d6b3b80d7b24e4ff739aa0ee9233a68ea02ed6186fbcb7ccf1a111215f136a455e7ab1161e751ae761f127
-
Filesize
198B
MD51c6834fa1c99aa52b0364805be3fb87e
SHA1264a252a0bbde118f5500c133693601f64c9cc9d
SHA25608beeec6897fe0d411c502207477c08c0d0f0eda086a7404af36d0585c63f812
SHA512e6cb757361809dba3ecc688e9ef8b6d16de68d2f838d99bc07a353518981d9e53036520e5de12923dd0b5959e2f40805d9cb2d63fabaf2c2cad09f58a6c24d0c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
198B
MD595a13a74475b6fe94e06b69e07664c76
SHA1fae7f2d0b166a7da8435072e247b1658fd2331fd
SHA256170d0f52b93b24508e8612437e9c46ef08ba488ed8e97a2f2128b3dab488742e
SHA512f02604c5d737ef1b71a97ea6d230a243dd1c765aeda5efef1ce75534318df081d1e8c142975aa254d4d5a2118c5a2dc38e101d92b20617c758f277635a388656
-
Filesize
198B
MD5441e2d1d650a6fdc2bc4bf9a48c17f3f
SHA10e63c9b5cd8dedb0e6e805e1340e37a531061e80
SHA2560ec5227fdc9794bcf07f274037f73b54bef2a5de5a506172279179f66859330e
SHA5120ea31dcd6e48032a3471ee95e90389872e81b79b98d78e7b51bba830282385cec94bd37f64d60f11620455fd78534c7ae89e451c30d156851cdb557b3bb1ec36
-
Filesize
198B
MD5d87bca573f564f28a1f51be4131ed19e
SHA159eb30f48f91595510a53ff952af5e420c603bbc
SHA2566ed073234a051212e5a537fba2379882f7a3396e655b2e253557702ca42a846a
SHA5125848f75646e4b8268162a76dd3df600e897a3707de9fa74e46708cdb860228ababa4e005dd83e355b2ba24d3a982e7d94696994b88e72c753186e57f52009f03
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD529fb4af2eb4ba06cb17ea480eed428a7
SHA14d9064236ef449358b86f6b4edf2f7b24c047037
SHA256457fc0d8e4c4149f3b8f0ee0702a94b95ce8d21d6f34d0c92577465ab10e0411
SHA5128bdbafc21e9b8e8c5bd1d9202688c6101dfaf90c04224ae3f959969f0bdc87b972fb21ffaf87e9467d1fd9862c0e2d49e1496c9d9793cc5bee1d96dcf3bf41bb
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394