Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 01:51
Behavioral task
behavioral1
Sample
JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe
-
Size
1.3MB
-
MD5
0c72fb6062bd555fc88a168424e9d38e
-
SHA1
dfbedfa323934c94e829f8a3f91b8bf8213c05fd
-
SHA256
a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10
-
SHA512
2f53f03359c9a8f7a157e7fd0c56deeeb19cedbccbbb1e1165f2b591680c8ee9269f86fc94d95f834a7791454b973335ab2c966bfe86b8794875e335b4a383ce
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2820 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016d36-9.dat dcrat behavioral1/memory/2660-13-0x0000000001060000-0x0000000001170000-memory.dmp dcrat behavioral1/memory/2500-36-0x0000000000D60000-0x0000000000E70000-memory.dmp dcrat behavioral1/memory/1724-132-0x00000000002A0000-0x00000000003B0000-memory.dmp dcrat behavioral1/memory/2956-192-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat behavioral1/memory/2880-252-0x0000000000E30000-0x0000000000F40000-memory.dmp dcrat behavioral1/memory/1992-313-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/800-668-0x0000000000020000-0x0000000000130000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2864 powershell.exe 2856 powershell.exe 1996 powershell.exe 2092 powershell.exe 1404 powershell.exe 1780 powershell.exe 1604 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2660 DllCommonsvc.exe 2500 WmiPrvSE.exe 1724 WmiPrvSE.exe 2956 WmiPrvSE.exe 2880 WmiPrvSE.exe 1992 WmiPrvSE.exe 2592 WmiPrvSE.exe 2140 WmiPrvSE.exe 2668 WmiPrvSE.exe 2964 WmiPrvSE.exe 1784 WmiPrvSE.exe 800 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 1808 cmd.exe 1808 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 12 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 36 raw.githubusercontent.com 39 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Java\jre7\Idle.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\42af1c969fbb7b DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\addins\services.exe DllCommonsvc.exe File created C:\Windows\addins\c5b4cb5e9653cc DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2576 schtasks.exe 2548 schtasks.exe 2652 schtasks.exe 2064 schtasks.exe 2828 schtasks.exe 2852 schtasks.exe 1992 schtasks.exe 2984 schtasks.exe 1912 schtasks.exe 1516 schtasks.exe 776 schtasks.exe 1652 schtasks.exe 264 schtasks.exe 1720 schtasks.exe 888 schtasks.exe 2848 schtasks.exe 2020 schtasks.exe 2600 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2660 DllCommonsvc.exe 1996 powershell.exe 2864 powershell.exe 1404 powershell.exe 2092 powershell.exe 1780 powershell.exe 2856 powershell.exe 1604 powershell.exe 2500 WmiPrvSE.exe 1724 WmiPrvSE.exe 2956 WmiPrvSE.exe 2880 WmiPrvSE.exe 1992 WmiPrvSE.exe 2592 WmiPrvSE.exe 2140 WmiPrvSE.exe 2668 WmiPrvSE.exe 2964 WmiPrvSE.exe 1784 WmiPrvSE.exe 800 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2660 DllCommonsvc.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 2856 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 2500 WmiPrvSE.exe Token: SeDebugPrivilege 1724 WmiPrvSE.exe Token: SeDebugPrivilege 2956 WmiPrvSE.exe Token: SeDebugPrivilege 2880 WmiPrvSE.exe Token: SeDebugPrivilege 1992 WmiPrvSE.exe Token: SeDebugPrivilege 2592 WmiPrvSE.exe Token: SeDebugPrivilege 2140 WmiPrvSE.exe Token: SeDebugPrivilege 2668 WmiPrvSE.exe Token: SeDebugPrivilege 2964 WmiPrvSE.exe Token: SeDebugPrivilege 1784 WmiPrvSE.exe Token: SeDebugPrivilege 800 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2316 2016 JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe 31 PID 2016 wrote to memory of 2316 2016 JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe 31 PID 2016 wrote to memory of 2316 2016 JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe 31 PID 2016 wrote to memory of 2316 2016 JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe 31 PID 2316 wrote to memory of 1808 2316 WScript.exe 32 PID 2316 wrote to memory of 1808 2316 WScript.exe 32 PID 2316 wrote to memory of 1808 2316 WScript.exe 32 PID 2316 wrote to memory of 1808 2316 WScript.exe 32 PID 1808 wrote to memory of 2660 1808 cmd.exe 34 PID 1808 wrote to memory of 2660 1808 cmd.exe 34 PID 1808 wrote to memory of 2660 1808 cmd.exe 34 PID 1808 wrote to memory of 2660 1808 cmd.exe 34 PID 2660 wrote to memory of 2864 2660 DllCommonsvc.exe 54 PID 2660 wrote to memory of 2864 2660 DllCommonsvc.exe 54 PID 2660 wrote to memory of 2864 2660 DllCommonsvc.exe 54 PID 2660 wrote to memory of 1604 2660 DllCommonsvc.exe 55 PID 2660 wrote to memory of 1604 2660 DllCommonsvc.exe 55 PID 2660 wrote to memory of 1604 2660 DllCommonsvc.exe 55 PID 2660 wrote to memory of 1780 2660 DllCommonsvc.exe 56 PID 2660 wrote to memory of 1780 2660 DllCommonsvc.exe 56 PID 2660 wrote to memory of 1780 2660 DllCommonsvc.exe 56 PID 2660 wrote to memory of 1404 2660 DllCommonsvc.exe 57 PID 2660 wrote to memory of 1404 2660 DllCommonsvc.exe 57 PID 2660 wrote to memory of 1404 2660 DllCommonsvc.exe 57 PID 2660 wrote to memory of 2856 2660 DllCommonsvc.exe 58 PID 2660 wrote to memory of 2856 2660 DllCommonsvc.exe 58 PID 2660 wrote to memory of 2856 2660 DllCommonsvc.exe 58 PID 2660 wrote to memory of 2092 2660 DllCommonsvc.exe 59 PID 2660 wrote to memory of 2092 2660 DllCommonsvc.exe 59 PID 2660 wrote to memory of 2092 2660 DllCommonsvc.exe 59 PID 2660 wrote to memory of 1996 2660 DllCommonsvc.exe 61 PID 2660 wrote to memory of 1996 2660 DllCommonsvc.exe 61 PID 2660 wrote to memory of 1996 2660 DllCommonsvc.exe 61 PID 2660 wrote to memory of 2500 2660 DllCommonsvc.exe 68 PID 2660 wrote to memory of 2500 2660 DllCommonsvc.exe 68 PID 2660 wrote to memory of 2500 2660 DllCommonsvc.exe 68 PID 2500 wrote to memory of 2980 2500 WmiPrvSE.exe 69 PID 2500 wrote to memory of 2980 2500 WmiPrvSE.exe 69 PID 2500 wrote to memory of 2980 2500 WmiPrvSE.exe 69 PID 2980 wrote to memory of 2288 2980 cmd.exe 71 PID 2980 wrote to memory of 2288 2980 cmd.exe 71 PID 2980 wrote to memory of 2288 2980 cmd.exe 71 PID 2980 wrote to memory of 1724 2980 cmd.exe 72 PID 2980 wrote to memory of 1724 2980 cmd.exe 72 PID 2980 wrote to memory of 1724 2980 cmd.exe 72 PID 1724 wrote to memory of 2112 1724 WmiPrvSE.exe 73 PID 1724 wrote to memory of 2112 1724 WmiPrvSE.exe 73 PID 1724 wrote to memory of 2112 1724 WmiPrvSE.exe 73 PID 2112 wrote to memory of 1852 2112 cmd.exe 75 PID 2112 wrote to memory of 1852 2112 cmd.exe 75 PID 2112 wrote to memory of 1852 2112 cmd.exe 75 PID 2112 wrote to memory of 2956 2112 cmd.exe 76 PID 2112 wrote to memory of 2956 2112 cmd.exe 76 PID 2112 wrote to memory of 2956 2112 cmd.exe 76 PID 2956 wrote to memory of 2056 2956 WmiPrvSE.exe 77 PID 2956 wrote to memory of 2056 2956 WmiPrvSE.exe 77 PID 2956 wrote to memory of 2056 2956 WmiPrvSE.exe 77 PID 2056 wrote to memory of 1092 2056 cmd.exe 79 PID 2056 wrote to memory of 1092 2056 cmd.exe 79 PID 2056 wrote to memory of 1092 2056 cmd.exe 79 PID 2056 wrote to memory of 2880 2056 cmd.exe 80 PID 2056 wrote to memory of 2880 2056 cmd.exe 80 PID 2056 wrote to memory of 2880 2056 cmd.exe 80 PID 2880 wrote to memory of 2540 2880 WmiPrvSE.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2288
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1852
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1092
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat"12⤵PID:2540
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2668
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat"14⤵PID:936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:612
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"16⤵PID:2092
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2132
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"18⤵PID:3060
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1996
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"20⤵PID:2192
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2700
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"22⤵PID:1356
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2340
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"24⤵PID:1956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2128
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"26⤵PID:1508
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD588a132cc269b91d13727e5121ce57c86
SHA165c97604f629f96c3b859336bbb8fb5a658f7313
SHA25634b5f17143f4b42edb906ecae5ee98ac288bd423ad8af2b165a6aa341b496078
SHA51211e683f993a5155f310770fadc53bc53524fb7edf1f63f07e5a6644484fa22d5ec4c1c1a8fa5ed0537c3e65c72e1e95ef88bc5c9a703accea89fd82eb35abda4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cbc29ad46499e10a781a950c8c2e809b
SHA1c818fc8f699b09d211339d3b347d1428656958e9
SHA2568734b7b23baeba09a16bd9c9565576462fd2b86a38f192e9977885a700636603
SHA5121670d61944952822ffefecbadcc132301cff4e3287724341217504e938753d311722c09d8e0d3fca5ba0853d967db5c3565c11902cdac269beed40dbededf7da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a6542c2099438f4fb28744594f79d4b
SHA1522891d834f1c719d128cc1b06abd2b54a846b29
SHA2568c7ca7ecd89fe53de3d4633d1a1870bac08cbd114a197b1003f2126bcfb87934
SHA512d38a5bf26bde9d67106bb4903913b36c066bf039dcbb93c19788e81a4e83293ae15ca8a3dda0b60f4d0f2a4b1a477cffec990678d7afb83e7aedc3c2899873fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b566743ba8dd492e5d96c21a06b19f5a
SHA108b1abf1f3f0024607f9534a352be278045ea7f6
SHA2566c88c01aae24744872f8f2a9f8987dc3c22ec17b8508caf71947158442eaf076
SHA5129cc06b1ae0e3a34667951cc545b2141fc549b5518de49abd2bb81856256b46b2a1adb6a0274cc28420c991a9bff9879b46764a1932893addc909b5556c5ee1a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD528974d45c471083a211463abc263ec00
SHA1843a8af682580b4eef5d17f16cce6d0b4323e7be
SHA256ec2e407eb2d1d72ab59568b6e71a265468b0f8cb8d56b399fd6b2cf0860f6275
SHA512c5ff75d60f8066925fea551be2908fd949a33e045e5103d3864161946ec4b7a53cdb687054e71e3388ae0de60c340499437987e6517db9ce4d1881a8d8b5be5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52cd201de0ebf708d3f9650705350eea0
SHA1669c5f4c1e68b053f0690e3b48ad89a04e28a0a0
SHA256497f29a296f840056a827480ca2e20fbfa3d5015c7f50add60e919142d4243ac
SHA512c885ab2e1269c00483785fcc432e5790bfcacf30b590b2d86038d524f13743b745cc9b1e1e0113dfa4aa0ee4e3fe3ca4d2b7c9efcca2b8ba76187b1da359c5d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5112ecfa9715c54530ed22710d3c58a0e
SHA1dc5022c59a36c9afa46830034b2a78f1cc153900
SHA256942b23d8fe4ff0768f567459831c85f32e183a5392e8514c985e7dffe7197156
SHA512efd2c496b1a956ded8fb8313f92cc1ad90f8921970807a007d986c4f553a45ad8b10c357e814cede6397807127e538d5ca3de507d4ddba4c060f95e79a61ab30
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d2ad47008b6041373e7c7a2598ccc557
SHA1043ed616c3e7298048b9b3aca706de38e9aceafd
SHA2563d8b9b2c75be7156e7025ef6a37e495833e3494c7002da3dd19f8001ea1b51ef
SHA512ceaacdef535865db0c831779603d598851c4344d87bc6388fe7f021775e389d0f5bb2f097ff21b577b10ea901540818479cc817e19346e66a0726d0f0062f857
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a33adb65e91372675eaf3b2f52d7b77
SHA198030702b9942d7d46be0f917ca96c3ee1a19f86
SHA25690f9178f7f5a6875cf579381b2e1af0bc688ba6a71542f423681ddb570fb610c
SHA512606291bcf5df6906b82fa9aa8a11d3ebfc2e78d45dbb9dd426abe17b6a7c4b39a4561f2e8217f6f943bfea1e3c6e821d62c5a6bdffc74a808690c79add7a9f16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc812d14feba4e9cee24e8e768b55ee5
SHA1a3315bd85d32dd908e660d4503abea362d809897
SHA2566f5533da5cded92b52321ebe4565cf6e526f11580ba01e06063962e086c7ae54
SHA512662734b36b43c500a9a768bbafa1bec8ac6cabc630e0be5fcac73b6e6ab73b72da9442ba01807ed48ae08fe76d693182252da9b4bb3f76a4ae54bb3c66a8e40b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD5fc049c599b2b275e8cfa006b6a7cb762
SHA187727f6a2378770654f5bf1fe6b2357fea5d3250
SHA2565a5cbbe520ced9d61bc102787218b253356ca1b5c034a58c6e1ad6c8ce8732b6
SHA512f84901b8785fb5787215e8372fe6d25aa5d5e5dbd414a0cf144e4651937135ff8b811a456c901e3668cbba75377fc081a25cb9776fdca5755b1936b2630f1401
-
Filesize
195B
MD5c92d5e628b3296b79008bcde943137b3
SHA18654528fed7548a18907a111e9cef1ee43baf82e
SHA256a9f49ad375b177db714dbea3589a7b246aad4552c3ad9e7b748db6803ffaa68b
SHA512f007537e098cbe4668761f25181a85d491b1557e890a0dfd44bbfa52af0fe13696ca74df850636943c38452020f5cd08bde63837dfca1f4ea0d705acfc304543
-
Filesize
195B
MD5e65df733917177742be472a3ac3a2825
SHA11bc7c6c5a8b75785c859513288da67de6cb05f02
SHA25672e575db9518b21e758854cd755a6ae3936bb5a9e9ee52c14d5aa79ac9739fec
SHA512bc56ac6a4e73495d6464c1d3e3427d012357010d616307b4d5e50012717e13f35d552340847d829e6025b0bd3f3f19998a18d3599b2ea353cb050e2bd8d13cff
-
Filesize
195B
MD5527f51fa41b615541a954d3709c4c9eb
SHA18320b49784036787d309c9f551948d054a2de721
SHA256775abbd522ccf0aa7e260aae6eb202a0f1f9890cdef44d00f3e5bef63e61da39
SHA512af04a9c2e5b88f2bfdd95c6759a1e1a38ea428fa78b659c35918fa954a0a621252e811638f9d140690b7ac86f16400fba2b7f253f618840801ead4e5caee9a69
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD501600015d6ab334e040be7e545c47932
SHA12b24ce3f7c464bf0f84584599519a0dc4e367a02
SHA2568b353376fcc2175d743c8a40e44f4bc7756b65d2b285ef9c80ddd8e9b92f270b
SHA512398641f1f9fb52ed1df4acdc1cc6e1e83495ea339a006bd86503d209d892b026b4500ab8015037e46e1cb4431e24d1f606b626b4d038ac47557ba8b004aef032
-
Filesize
195B
MD55eb42f3dacde8fe78adc8c39f40cb25e
SHA1022bc0e688c513a3713e6466bfaa5e7c41911836
SHA256311e09f53391ac08a89148c01a9c2cf4ebf2a08f53e70bf86e9f39c641443413
SHA51202941988c2099901026afcdb4c81200906a104e55f63d1a432b07b0335327d8eeb754cd033b5bdda5618dffdfdf8a9b43cc9538839ad81469fa804eb209e86b5
-
Filesize
195B
MD55b4b677f885c959611c58272ebb8fc81
SHA1a4ee95da14984ca39d5a04a1e419a2678fff1f58
SHA25605cfda4559a01de60165433b4709a8aafc04639d596c9dd160d16e5b15365281
SHA512878e44c4fcf4e8230765775399071679fde4a87ca80cdd6ce2cf40d1e86c9751740a52f47fb4faf40b13aaa0e264ee7f39f3ccfe15a87cde4f4c96a96cf0abbd
-
Filesize
195B
MD564d3891f280dd0e881d16f25a5fe4fd2
SHA1117d54e513f6a7d82099b1a3ae48d03f148b6ef4
SHA2563fc228380b3ea8a5bfa854cac93869c5e8234fb5d383b7ed339a490f9977a0a2
SHA5128f0b76a0ce379f4b5eec2d03b58af1e61fe3fafaede0d01e63733103194ab85d1a7d5137db9a0f555f000a7cc031bad83a971385957613d6417835316c63a71f
-
Filesize
195B
MD50da76fc34baccb5dcc8137d11dc11ebb
SHA1d6998b75b0e75d7374bbafaa0af2efcf2815f388
SHA256cb7c2c93d7a9d420803e2eeac407d66ea11eabae5e74e0c862688a0fde3e08ce
SHA5129ecaf923396f0acca89e78a6703d53fe392673382b55814e0a783a3a8e2d1ca2515a01e31cffdecdc5999e931a36f2f215f71c8bdaea5888089c09074baff4e1
-
Filesize
195B
MD5029d9c5520643722795c857f65326e07
SHA1eeb4bf838a7701c29f406ecd00e732101f880926
SHA25616658b0cd52dc57c9baf09cbd7acb6674fc5a494f867bbef899b99559244a0d9
SHA512197c5790290b423f340609cc2b03872d2a41dc3d11fc9cb76d48ec10753958201fdac517c2568510e47981e45fc2e754d0ebb8f7154fafaa975f271132ee86b9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5adbf33fe427a383e095d64cc2afc520a
SHA177d37cb3c9c84ae164cbbceae6874211b1d2c4b8
SHA256812dd08fc266cd37184fe5c9e8ac432a30ae26f9775456a7b997e8083fedae3d
SHA512f054592cc2a3a2c17f7bada8470bcf24eb69735156567b33c755ea5d65c779c40bdf1711cf5fc3743f6bda474f05c6db0cc504c35b19f5d570bd5807a7cd9e4d
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394