Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:27
Behavioral task
behavioral1
Sample
JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe
-
Size
1.3MB
-
MD5
018f92a5baa5d79bb7b455ddd487acec
-
SHA1
9e3d85e76fdc4c84b8c9df5f8974f5bf40e7f1bc
-
SHA256
dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6
-
SHA512
b8a407d0ebb6dcf8250a86f38de08d73159c12548fc372325718e0361e8a41546be4f8d1139eedc45ce0ac3299a7196839e54c1e5ab571d906e795405f7db9da
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2604 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016307-9.dat dcrat behavioral1/memory/2264-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp dcrat behavioral1/memory/2900-32-0x0000000001300000-0x0000000001410000-memory.dmp dcrat behavioral1/memory/2228-295-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat behavioral1/memory/2696-355-0x00000000010E0000-0x00000000011F0000-memory.dmp dcrat behavioral1/memory/288-416-0x00000000002C0000-0x00000000003D0000-memory.dmp dcrat behavioral1/memory/2364-476-0x00000000010C0000-0x00000000011D0000-memory.dmp dcrat behavioral1/memory/1268-595-0x0000000001370000-0x0000000001480000-memory.dmp dcrat behavioral1/memory/2868-655-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2664 powershell.exe 660 powershell.exe 1776 powershell.exe 2368 powershell.exe 2124 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2264 DllCommonsvc.exe 2900 csrss.exe 2208 csrss.exe 2268 csrss.exe 2424 csrss.exe 2228 csrss.exe 2696 csrss.exe 288 csrss.exe 2364 csrss.exe 2080 csrss.exe 1268 csrss.exe 2868 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 2992 cmd.exe 2992 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 16 raw.githubusercontent.com 19 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com 38 raw.githubusercontent.com 13 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 4 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\csrss.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Google\Chrome\WmiPrvSE.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2884 schtasks.exe 1744 schtasks.exe 2312 schtasks.exe 1448 schtasks.exe 1988 schtasks.exe 1972 schtasks.exe 2912 schtasks.exe 1956 schtasks.exe 2336 schtasks.exe 2272 schtasks.exe 2256 schtasks.exe 2940 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2264 DllCommonsvc.exe 2368 powershell.exe 2664 powershell.exe 660 powershell.exe 1776 powershell.exe 2124 powershell.exe 2900 csrss.exe 2208 csrss.exe 2268 csrss.exe 2424 csrss.exe 2228 csrss.exe 2696 csrss.exe 288 csrss.exe 2364 csrss.exe 2080 csrss.exe 1268 csrss.exe 2868 csrss.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2264 DllCommonsvc.exe Token: SeDebugPrivilege 2900 csrss.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 660 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 2208 csrss.exe Token: SeDebugPrivilege 2268 csrss.exe Token: SeDebugPrivilege 2424 csrss.exe Token: SeDebugPrivilege 2228 csrss.exe Token: SeDebugPrivilege 2696 csrss.exe Token: SeDebugPrivilege 288 csrss.exe Token: SeDebugPrivilege 2364 csrss.exe Token: SeDebugPrivilege 2080 csrss.exe Token: SeDebugPrivilege 1268 csrss.exe Token: SeDebugPrivilege 2868 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2744 2140 JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe 30 PID 2140 wrote to memory of 2744 2140 JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe 30 PID 2140 wrote to memory of 2744 2140 JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe 30 PID 2140 wrote to memory of 2744 2140 JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe 30 PID 2744 wrote to memory of 2992 2744 WScript.exe 31 PID 2744 wrote to memory of 2992 2744 WScript.exe 31 PID 2744 wrote to memory of 2992 2744 WScript.exe 31 PID 2744 wrote to memory of 2992 2744 WScript.exe 31 PID 2992 wrote to memory of 2264 2992 cmd.exe 33 PID 2992 wrote to memory of 2264 2992 cmd.exe 33 PID 2992 wrote to memory of 2264 2992 cmd.exe 33 PID 2992 wrote to memory of 2264 2992 cmd.exe 33 PID 2264 wrote to memory of 1776 2264 DllCommonsvc.exe 47 PID 2264 wrote to memory of 1776 2264 DllCommonsvc.exe 47 PID 2264 wrote to memory of 1776 2264 DllCommonsvc.exe 47 PID 2264 wrote to memory of 2368 2264 DllCommonsvc.exe 48 PID 2264 wrote to memory of 2368 2264 DllCommonsvc.exe 48 PID 2264 wrote to memory of 2368 2264 DllCommonsvc.exe 48 PID 2264 wrote to memory of 2124 2264 DllCommonsvc.exe 49 PID 2264 wrote to memory of 2124 2264 DllCommonsvc.exe 49 PID 2264 wrote to memory of 2124 2264 DllCommonsvc.exe 49 PID 2264 wrote to memory of 2664 2264 DllCommonsvc.exe 50 PID 2264 wrote to memory of 2664 2264 DllCommonsvc.exe 50 PID 2264 wrote to memory of 2664 2264 DllCommonsvc.exe 50 PID 2264 wrote to memory of 660 2264 DllCommonsvc.exe 53 PID 2264 wrote to memory of 660 2264 DllCommonsvc.exe 53 PID 2264 wrote to memory of 660 2264 DllCommonsvc.exe 53 PID 2264 wrote to memory of 2900 2264 DllCommonsvc.exe 57 PID 2264 wrote to memory of 2900 2264 DllCommonsvc.exe 57 PID 2264 wrote to memory of 2900 2264 DllCommonsvc.exe 57 PID 2900 wrote to memory of 292 2900 csrss.exe 58 PID 2900 wrote to memory of 292 2900 csrss.exe 58 PID 2900 wrote to memory of 292 2900 csrss.exe 58 PID 292 wrote to memory of 1520 292 cmd.exe 60 PID 292 wrote to memory of 1520 292 cmd.exe 60 PID 292 wrote to memory of 1520 292 cmd.exe 60 PID 292 wrote to memory of 2208 292 cmd.exe 61 PID 292 wrote to memory of 2208 292 cmd.exe 61 PID 292 wrote to memory of 2208 292 cmd.exe 61 PID 2208 wrote to memory of 2928 2208 csrss.exe 63 PID 2208 wrote to memory of 2928 2208 csrss.exe 63 PID 2208 wrote to memory of 2928 2208 csrss.exe 63 PID 2928 wrote to memory of 572 2928 cmd.exe 65 PID 2928 wrote to memory of 572 2928 cmd.exe 65 PID 2928 wrote to memory of 572 2928 cmd.exe 65 PID 2928 wrote to memory of 2268 2928 cmd.exe 66 PID 2928 wrote to memory of 2268 2928 cmd.exe 66 PID 2928 wrote to memory of 2268 2928 cmd.exe 66 PID 2268 wrote to memory of 1496 2268 csrss.exe 67 PID 2268 wrote to memory of 1496 2268 csrss.exe 67 PID 2268 wrote to memory of 1496 2268 csrss.exe 67 PID 1496 wrote to memory of 1944 1496 cmd.exe 69 PID 1496 wrote to memory of 1944 1496 cmd.exe 69 PID 1496 wrote to memory of 1944 1496 cmd.exe 69 PID 1496 wrote to memory of 2424 1496 cmd.exe 70 PID 1496 wrote to memory of 2424 1496 cmd.exe 70 PID 1496 wrote to memory of 2424 1496 cmd.exe 70 PID 2424 wrote to memory of 2980 2424 csrss.exe 71 PID 2424 wrote to memory of 2980 2424 csrss.exe 71 PID 2424 wrote to memory of 2980 2424 csrss.exe 71 PID 2980 wrote to memory of 1636 2980 cmd.exe 73 PID 2980 wrote to memory of 1636 2980 cmd.exe 73 PID 2980 wrote to memory of 1636 2980 cmd.exe 73 PID 2980 wrote to memory of 2228 2980 cmd.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1520
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:572
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1944
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1636
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"14⤵PID:2352
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1904
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"16⤵PID:1232
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:484
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"18⤵PID:2924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1480
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"20⤵PID:1520
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:408
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"22⤵PID:1908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1348
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"24⤵PID:844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2688
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"26⤵PID:1656
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5151f0b475f068cafb492c6b4a851c71a
SHA1d6ed464e3096c24cb8fff49700cfb613b498b4c2
SHA256f3970e19e6cbc8e1956332c7584509ce8ddad4b709eb4ad83ac7fbd0d8c44542
SHA512f867db67dc58c17216f4e133628a3158d0ea07444d1263001ee907ae6d0003343dc190ce1fd04ce0fa0207652202317517b8de5f71d880a0cf3c0522ae288b66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55567abda592f63172aed03bebf1622e5
SHA1d12c4db782b247a4b32d0efbd4b73dfb903c1e88
SHA256ce9fc2a61d6a2ec6986b8f74437b38a624996d92e31802b8818649105246077c
SHA512efb731570ab8691199ffb486349d113dbb87c6b3a747a0544229ce927f553440763040d850adf681ea66f4a29b9f41664262d211e92f8fafb275a46bf64958d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD522c0a7af02e6f2d761683bfd9a754efd
SHA16365922d32896b11a90666da006b45bf5189f791
SHA25655229d0e98361f0652960dbeaeab11b92049993892ee2cce4cdca853e33fb784
SHA51245e3592aabdcefab0d29b1968f761f0c81622e18093af1350867e3fa3a4af2ac8a62fb60845bf9437b49f08b0f3cfcaa9cd452cf4d29a5ada052ed2dd9ec9014
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cb8bae453f438d5897107546f578448e
SHA17d55b24d08bb7a232f612cfc145ac30a8bb53f80
SHA2564b8d0fafa68616f0828e93c1e8375f93c06ba76548773bdf2db8c9d04100dbe1
SHA5120478f4573f71b924c6d7cdeaece7463304b11c23321d07378b5ef560425d8f99665a77ff5580b543066eeda73f8b49e554d116db1b84957656e7a3c60a96862a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fe5f279f533bad868160cd73f34d4986
SHA1a6533622d292881ee2dd3ec1fcbf32c089921589
SHA256fb8c268c2d620ffb0c9ded94d14f6cd5e0fda178d8df4e7c74e565923c38e2c7
SHA5122d264c7f6f0979c2d49a771ffec38fcdd528eb38748eb1a6756b4618abaa778e4ebe969e970f940feb0df32ca00d6ca8fc489a02a299c4efb8f0e8ada03418ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50cdc41b5c467e3fbe459801fa6646edd
SHA1cd4c16a90ef90f8ee8c69c23a869f9cf8e6aeedf
SHA2562867b7d06a917d816956b26abe682d4b4f1dd3c99cf252bc983c32a4526a3843
SHA5121caf705a185833aa69d98f779a039025e3b3f69343fbb5dd3218f99695c00b0c9224e3e5509c1c673f9a2e1d816b5248f4d81cf74bfaa7ed8d956a4239f0fcd5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5088ff6a59899731be11b7f7568f05bc7
SHA115872d0eb41e4ecebefff9e548fa58f9ca7afdcb
SHA25685df8d5f33d68aa53f65e235d068da5f0678ec4f39ff2d4c2f75eebbe7f768bf
SHA512d1ef8d78fc93d99a31180e341fcc6f340c0f2549fdda9a9d0c696e1ab0d529e74445fcc9a215ed21b76e676872b1c9118d8b0ee40aa49a7acd87963b0df2845e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55f1f936f49126e718d9f8dfec7b0c3f9
SHA181808ac6e082fe53ca6e9a42b663276def0f83a7
SHA2563a92919c29a9c1f79ca9e787b990fdb03939b23cd760cbdf09935524310cf5ab
SHA51202fdb5b7e9c5394cf89e2f3824cce2e8f1e16c3c491aaff6e2b0aca371b6da3ed118ba6afac41df9561a4b52a1db76dffd70f7fab800e8006b906f94fa65edc1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58164401295ad85cb796baa49d7524707
SHA1de9153edc6e1ac65000f36e02c645e38d8380e24
SHA256e4be4e6ef77f3a003442197bcf007a36cf11a79da39a6afbb9fdc90e1a6d8628
SHA512e05839ddadd94b84dff0d8e28fc7fc4efb1f3784078eef1622b10dc457fb53e8d1ab17f36e958d17e8428a785f60ded97fe8d4f71e2abdf65b6518a16e080a17
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53439a2b86aeffc5c4fd8f43157fa84d3
SHA106d57b9abbe15269f018ad78640fde3062358656
SHA256ade96b129004e35751de144802ace7899ed65b4f6a75d60e0d3cf4e39a9ad695
SHA51257e19a2d367f463eeb06f889a791286c123e2c3d001e0113f16654844468f656dbf83f3311e12685285a075a5ceda384415dc789cb9f6658a8645ca706a9419b
-
Filesize
209B
MD59067d3d3c67f78b0a9e62d4f9a7dfae3
SHA179d002669034312b7d08ccc4d9a1fc4f49b7e031
SHA2562265c5733270a46031c235a1b730fa913c3652c7f3b63b65991c6cc68dfc76ec
SHA512ab5949c3a870f9914e159e372bf89cb394f9dd459dcde9af3dd3ba9e0c4e6c39e210a9b7f7b52872d96e023ec48fa9294bfddf66de0625846079972b6b9dcdc9
-
Filesize
209B
MD57f968c3c7cd5239cb67cc5329ce43833
SHA1e6ad3b81bb5e372fa88eb9c2d9459a04103ef633
SHA2566ae9da66d4785858414dd5fcacc6eb52e2a90cb6f5caf10cec0a5e0721eb1653
SHA512c52f5c5a782330709e22ea619155d92ae85038506d9d9fbc94dc0b0333feb8cc8229e594f1c3d4b25f6d3a735a61a62e563f05281502cf63510005b360b3aa77
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
209B
MD544f16a23f2a36963612b8c3dfc669324
SHA15c88e0aac23900b868640da18c2984fcc474a193
SHA256ea4437f7aca21c97536d6ab9af3f88f62708ed623ae713ace7b635a5350ae10e
SHA512abe0072cddcf936d61641e18fd22f0860c6403ddff56ecdb64e895600aa3586dece7daaf0a5f5dd710f08afbe72d1fc00e6098428284c8cdfe6c15edbca456aa
-
Filesize
209B
MD56fe2b116f24fdbb87b85893c71cf3bcf
SHA18b11b5982e54cc9290c0bcbe45a41fa6d26eba0b
SHA256bdddb96c26a58a2dd4beef4371d36f0323a937a16d2abd9a74797f37b6b0f98b
SHA512b14e5c7c0f1e34d844cb4e5d075a66c4f7a841b939036a4c55d1ac09754480b47c84dfc283263582356ff235aae3cf90d4cc16838d178ee7610d343dcc513bb0
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
209B
MD52ceaa488c1d1c42205bf1b37f2c269d2
SHA1dd6dfcfc0242af894f5699ad4c8bc83b83a6b1b5
SHA256de87cd1edf39fc202816e7d6a00f60f7e82527b12df54fec0e463cb3986c7222
SHA51223f3c9a0a935df43dd63b9d7cf225a91c5a554cf714212fe4494070711ca84f968168d4fd4547762eddfb664c8a794b2fe4a1fd5ea14ab076bc3d84847c350ad
-
Filesize
209B
MD52ffb24ee4ea2296ee1465af194aac48f
SHA13fb532e33b78d85d69f0085da544ec807cb32467
SHA25684ee284dfc1e05dbe898554bfda9a11abad9224badfc0fc7fae6a42fac8ff43c
SHA512c19aaba7cb92991e758e70a4b0d810af7390a4fb0f1227a862a50fa9580d763b9fa306d9400fc95cb99c977e7730a41a3a841e3a5f1eb451746877e74f663f15
-
Filesize
209B
MD5c31afaec91c537659b71a630a1be7e02
SHA124bc1c86466f793ed829bc8185615dda17ddbf47
SHA25651b3e7514578684326e40e8a28c503304804e9abc125a485ff438815cfb10e61
SHA5127580564d0ee264d2ca6a24c59dc4490c758cca492592a0d906eecee06b51aa5f3d3d4c88fb9457125340a1a5f8810906163b983bde15aca87a36b903aea703f7
-
Filesize
209B
MD55e9c255938845d617b70e278da102874
SHA16ac49326ace12f821c7af4f5e06ba26fb79253ed
SHA256db15b9cd7ff6e4874902dbce3e5cf3dd69202fc7c62ee111eeb1c34a5601f215
SHA512e8bc9ac033de8acf33f7334f85c346122acd72740c25adefcafcf49c8c09a75e21910e9ee3582ada9f52ae623c57f57c49a47e0b0a6459973d829125227cb7cd
-
Filesize
209B
MD5eb6aa59fa12e1b96268cdb30063c2780
SHA13ac03b47185e1960b8a21a536358587969d4631f
SHA256a758d54e5d2b008494880b2d9eeb3774c2a8483a5926e85d5c0006e949c74f2a
SHA512ef9b2d94e0a40e72b635fbb700e4391cd65a28f069387bc164a521c99a11ea2c20ede1e6f5ef964dd6125eaa6b0a68515d497721ad41c030c0848b8a97d20095
-
Filesize
209B
MD51ae0d52c24db7b6ca0837706ef84b499
SHA1bd131cde49740af0a4cd77a7b6f59f08ba37edb9
SHA25674d29848659c0d964efbff45346232efda23295cc917f7b1d07cfbb36ce13fd9
SHA512e4e65dfb66c9919322cd1de0d7df2bcbafc4f9634b81b038826c46e190cf3f6e84f8f2e1a17299977cbfbd8071a37797989d190f5f82a7724796188d9dd7f2bf
-
Filesize
209B
MD54660e09700adcc8297fc7611ab3b2c68
SHA1556083e6c40c4a48fde38a850acd12975db1a586
SHA2565f4b3edbbb0a42b50e2298920b8d379c2bc914bf848de6fc171123f43b8098b8
SHA512d926729dbb2185bb33ee5c58733dba824b9bf03561faf71484b866d35433b3c3a8b228f7657220939111f7bb5621405aa63424c12d68b3003134d38feb194838
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U98IYCLQC53MT4DWSBR9.temp
Filesize7KB
MD52eab39f326bf5d5aedef07889eaa56c2
SHA187f64636a48db8bb36e08a9e3d47586e0bdff763
SHA25658a6470710786f6972019cdb5b872308419aaa86bc0299f3a834cd9f6fb92c00
SHA512df516dbc4e611ed16d818042135b9c8574ee8ea513ae56bff0fe988b186bcada8958d11524490b91317d396b25ad2825d18dd466947c0ed0a5056facb51f1067
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394