Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:29
Behavioral task
behavioral1
Sample
JaffaCakes118_adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6.exe
-
Size
1.3MB
-
MD5
ce93576e0a5b44f4aeb32124bd140460
-
SHA1
99c15083ece325958a02c176abb6a74935c00960
-
SHA256
adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6
-
SHA512
6046d3a6eafce983bfe67f1eb6eb20f34155a4d427847e1a8c984ab67299c01db422a4d328ab796c290fc7bde3f061d727d5133850b7640d2eb8b7b76f693fff
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2228 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2228 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016dc0-11.dat dcrat behavioral1/memory/2232-13-0x0000000000F50000-0x0000000001060000-memory.dmp dcrat behavioral1/memory/2664-38-0x0000000000C80000-0x0000000000D90000-memory.dmp dcrat behavioral1/memory/2800-198-0x0000000001320000-0x0000000001430000-memory.dmp dcrat behavioral1/memory/2260-317-0x0000000000140000-0x0000000000250000-memory.dmp dcrat behavioral1/memory/2504-377-0x0000000000960000-0x0000000000A70000-memory.dmp dcrat behavioral1/memory/600-438-0x0000000000D90000-0x0000000000EA0000-memory.dmp dcrat behavioral1/memory/2204-558-0x0000000000DD0000-0x0000000000EE0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 288 powershell.exe 824 powershell.exe 2208 powershell.exe 2204 powershell.exe 2400 powershell.exe 2392 powershell.exe 2108 powershell.exe 2300 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2232 DllCommonsvc.exe 2664 audiodg.exe 2680 audiodg.exe 2800 audiodg.exe 1252 audiodg.exe 2260 audiodg.exe 2504 audiodg.exe 600 audiodg.exe 2436 audiodg.exe 2204 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2100 cmd.exe 2100 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 12 raw.githubusercontent.com 19 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Portable Devices\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\uninstall\dwm.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\uninstall\6cb0b6c459d5d3 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\sppsvc.exe DllCommonsvc.exe File created C:\Windows\Tasks\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Windows\ServiceProfiles\csrss.exe DllCommonsvc.exe File created C:\Windows\ServiceProfiles\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2308 schtasks.exe 1092 schtasks.exe 2900 schtasks.exe 1164 schtasks.exe 264 schtasks.exe 2780 schtasks.exe 2700 schtasks.exe 2800 schtasks.exe 1380 schtasks.exe 2864 schtasks.exe 1484 schtasks.exe 2536 schtasks.exe 1696 schtasks.exe 2904 schtasks.exe 2564 schtasks.exe 2716 schtasks.exe 2584 schtasks.exe 2680 schtasks.exe 1944 schtasks.exe 2740 schtasks.exe 1992 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2232 DllCommonsvc.exe 2208 powershell.exe 2204 powershell.exe 2108 powershell.exe 824 powershell.exe 288 powershell.exe 2300 powershell.exe 2392 powershell.exe 2400 powershell.exe 2664 audiodg.exe 2680 audiodg.exe 2800 audiodg.exe 1252 audiodg.exe 2260 audiodg.exe 2504 audiodg.exe 600 audiodg.exe 2436 audiodg.exe 2204 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2232 DllCommonsvc.exe Token: SeDebugPrivilege 2664 audiodg.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 824 powershell.exe Token: SeDebugPrivilege 288 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 2680 audiodg.exe Token: SeDebugPrivilege 2800 audiodg.exe Token: SeDebugPrivilege 1252 audiodg.exe Token: SeDebugPrivilege 2260 audiodg.exe Token: SeDebugPrivilege 2504 audiodg.exe Token: SeDebugPrivilege 600 audiodg.exe Token: SeDebugPrivilege 2436 audiodg.exe Token: SeDebugPrivilege 2204 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1748 wrote to memory of 1820 1748 JaffaCakes118_adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6.exe 30 PID 1748 wrote to memory of 1820 1748 JaffaCakes118_adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6.exe 30 PID 1748 wrote to memory of 1820 1748 JaffaCakes118_adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6.exe 30 PID 1748 wrote to memory of 1820 1748 JaffaCakes118_adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6.exe 30 PID 1820 wrote to memory of 2100 1820 WScript.exe 31 PID 1820 wrote to memory of 2100 1820 WScript.exe 31 PID 1820 wrote to memory of 2100 1820 WScript.exe 31 PID 1820 wrote to memory of 2100 1820 WScript.exe 31 PID 2100 wrote to memory of 2232 2100 cmd.exe 33 PID 2100 wrote to memory of 2232 2100 cmd.exe 33 PID 2100 wrote to memory of 2232 2100 cmd.exe 33 PID 2100 wrote to memory of 2232 2100 cmd.exe 33 PID 2232 wrote to memory of 2208 2232 DllCommonsvc.exe 56 PID 2232 wrote to memory of 2208 2232 DllCommonsvc.exe 56 PID 2232 wrote to memory of 2208 2232 DllCommonsvc.exe 56 PID 2232 wrote to memory of 2204 2232 DllCommonsvc.exe 57 PID 2232 wrote to memory of 2204 2232 DllCommonsvc.exe 57 PID 2232 wrote to memory of 2204 2232 DllCommonsvc.exe 57 PID 2232 wrote to memory of 2400 2232 DllCommonsvc.exe 58 PID 2232 wrote to memory of 2400 2232 DllCommonsvc.exe 58 PID 2232 wrote to memory of 2400 2232 DllCommonsvc.exe 58 PID 2232 wrote to memory of 2392 2232 DllCommonsvc.exe 59 PID 2232 wrote to memory of 2392 2232 DllCommonsvc.exe 59 PID 2232 wrote to memory of 2392 2232 DllCommonsvc.exe 59 PID 2232 wrote to memory of 2108 2232 DllCommonsvc.exe 60 PID 2232 wrote to memory of 2108 2232 DllCommonsvc.exe 60 PID 2232 wrote to memory of 2108 2232 DllCommonsvc.exe 60 PID 2232 wrote to memory of 2300 2232 DllCommonsvc.exe 61 PID 2232 wrote to memory of 2300 2232 DllCommonsvc.exe 61 PID 2232 wrote to memory of 2300 2232 DllCommonsvc.exe 61 PID 2232 wrote to memory of 288 2232 DllCommonsvc.exe 62 PID 2232 wrote to memory of 288 2232 DllCommonsvc.exe 62 PID 2232 wrote to memory of 288 2232 DllCommonsvc.exe 62 PID 2232 wrote to memory of 824 2232 DllCommonsvc.exe 63 PID 2232 wrote to memory of 824 2232 DllCommonsvc.exe 63 PID 2232 wrote to memory of 824 2232 DllCommonsvc.exe 63 PID 2232 wrote to memory of 2664 2232 DllCommonsvc.exe 68 PID 2232 wrote to memory of 2664 2232 DllCommonsvc.exe 68 PID 2232 wrote to memory of 2664 2232 DllCommonsvc.exe 68 PID 2664 wrote to memory of 2700 2664 audiodg.exe 74 PID 2664 wrote to memory of 2700 2664 audiodg.exe 74 PID 2664 wrote to memory of 2700 2664 audiodg.exe 74 PID 2700 wrote to memory of 1532 2700 cmd.exe 76 PID 2700 wrote to memory of 1532 2700 cmd.exe 76 PID 2700 wrote to memory of 1532 2700 cmd.exe 76 PID 2700 wrote to memory of 2680 2700 cmd.exe 77 PID 2700 wrote to memory of 2680 2700 cmd.exe 77 PID 2700 wrote to memory of 2680 2700 cmd.exe 77 PID 2680 wrote to memory of 1944 2680 audiodg.exe 78 PID 2680 wrote to memory of 1944 2680 audiodg.exe 78 PID 2680 wrote to memory of 1944 2680 audiodg.exe 78 PID 1944 wrote to memory of 1932 1944 cmd.exe 80 PID 1944 wrote to memory of 1932 1944 cmd.exe 80 PID 1944 wrote to memory of 1932 1944 cmd.exe 80 PID 1944 wrote to memory of 2800 1944 cmd.exe 81 PID 1944 wrote to memory of 2800 1944 cmd.exe 81 PID 1944 wrote to memory of 2800 1944 cmd.exe 81 PID 2800 wrote to memory of 1088 2800 audiodg.exe 82 PID 2800 wrote to memory of 1088 2800 audiodg.exe 82 PID 2800 wrote to memory of 1088 2800 audiodg.exe 82 PID 1088 wrote to memory of 824 1088 cmd.exe 84 PID 1088 wrote to memory of 824 1088 cmd.exe 84 PID 1088 wrote to memory of 824 1088 cmd.exe 84 PID 1088 wrote to memory of 1252 1088 cmd.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
C:\Program Files\Windows Portable Devices\audiodg.exe"C:\Program Files\Windows Portable Devices\audiodg.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1532
-
-
C:\Program Files\Windows Portable Devices\audiodg.exe"C:\Program Files\Windows Portable Devices\audiodg.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1932
-
-
C:\Program Files\Windows Portable Devices\audiodg.exe"C:\Program Files\Windows Portable Devices\audiodg.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:824
-
-
C:\Program Files\Windows Portable Devices\audiodg.exe"C:\Program Files\Windows Portable Devices\audiodg.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat"12⤵PID:2308
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2856
-
-
C:\Program Files\Windows Portable Devices\audiodg.exe"C:\Program Files\Windows Portable Devices\audiodg.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"14⤵PID:1516
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2788
-
-
C:\Program Files\Windows Portable Devices\audiodg.exe"C:\Program Files\Windows Portable Devices\audiodg.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat"16⤵PID:492
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1776
-
-
C:\Program Files\Windows Portable Devices\audiodg.exe"C:\Program Files\Windows Portable Devices\audiodg.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"18⤵PID:1152
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1256
-
-
C:\Program Files\Windows Portable Devices\audiodg.exe"C:\Program Files\Windows Portable Devices\audiodg.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"20⤵PID:2560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1932
-
-
C:\Program Files\Windows Portable Devices\audiodg.exe"C:\Program Files\Windows Portable Devices\audiodg.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57ccd709778381c41fbff5fe9731fd1ee
SHA1eb7ef9edbb549504122513fe4a684be277af05aa
SHA2568e5d6364763723d1b374c7fea3b2e6432a0d241a24a1a665966185a934af9f04
SHA512a7625a41ab984bbce349343082331815fc5651cd80dad3d0730b8ce2760c1fda95abab5f1bd660a1d5885325bd8c34718711462e5fc54ffb05a66988e5e48baf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e36868632e4dbac5c83db7f00d857f95
SHA13f2569235a80e0d0b2b279b8141768b80e651e44
SHA256295f49519fd26b7d9fd1f5ba0f47019884a049ca8d6b2edb81eb076281bf7189
SHA512756168be44f96989595ef86a5e3718dd3971a66be0be9c8ed4e8750169b2d37373d313a4b7693105b1a2567037c27716e88b03e78f6cd57dd655e7ef60686cd7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cd8d76f77bed2f556b24d84ed4cd3ee7
SHA1820cfa9a5da2115c5e57f8ea44af8ed4a794784d
SHA256c23b58848bffe3dc7ae776cef9bdf55a85520aee52bce01456def4a3b67fb39f
SHA5121c8e1d530794414a97a74824bf167b95318be327930c586492cb03cd1d4728f5276212e1ce7ff7fa3e46cf4f5d1644ae4f9f6fee4bd0a1eee13cd56950d1ae57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d2623bedf99a46f6154227a4ac91cb9
SHA1ebbbe1b66eb0cd0abe79281bf70e603281f95fa7
SHA256bbee5527b82578f9feaeae8de65cb0906a1563ba7faeafae16179ad9a56e7fac
SHA512b95128b4cba7ba626b0fc65c42b3f1fff0c96a0783f10f77a19f113d6ebbbffa67e7c5c7410e109db96c723ddd60325f591738e7a52eb4338c16d95387932629
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546748dff147148b47693227cb650ca10
SHA1219f5642490e22fa2b8d2fb06da046b0869392b5
SHA2565857dbed63fa5a8c9d565eeb81fe1c176338bd792c3f60af073f455d4ff8076f
SHA51247f2c31c6c1dededad0cf62fb8c4d66a9badc0f6765fb2575a8f9d6a8692ad81a5978996a382f6ff9059404bcaa4b6152a2b8d5a7116d2e9495faa22ad573307
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD568cb0a8e5025d6cff4133f3d34a7ccf5
SHA12dd808d872ccb79405cd27c19a74b5fbd0dcae52
SHA2562b8b7125526902e39a5b186894825eaaf030758b60d1beca7e74d0748200caa8
SHA5124fd686f4ebac4ca5fa332ab1b713d4870e320eb80dc00860fa186f0617b05d1ba1771e3a10427ea7bf79d2b8ab496d6270f819fc3a5a3cb73ec9ea4d27114743
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc018c933179eb6c8fa0d17e5b07757a
SHA1f27840374c8ffc6b7eac3672a817b04b24208251
SHA2562974aa5820414e8c9a3a05138459a6b02d4764919337045eb4716851d14773b7
SHA512cbbb416fdadb0f49e2a4926c4968990c3aeef5c589f007762622c286f01ac98ce019e829012ca7d3f36ad2c50b33fa5f3cd1237b127834dcf1e6f1f8a45679d3
-
Filesize
218B
MD56d2966615fc9a4265e29ccea1e134848
SHA1d0830d1f64907fde981a1b2b8ce1888363bfa542
SHA25614f5bf499eb82d90c303d11ce990978ed816af9478f3bc000441c029f38be933
SHA512bd79aa4a9dd371ecf5a1a2c13da69bd7e3e156bed92b0aa54cf19e98dd1f81f05a27bfd06d9e6a9bb4f2f3345db70b06225134d52b38a953d34c75cd1990c808
-
Filesize
218B
MD59255791592334e784207fcf1a381a412
SHA1ab6e56d79d22959814053b855c95aea68f639243
SHA2561d85073e0b7bf3ce61e07a496627111f49dca6bf4ac0f4957ca65840ae184cd2
SHA512513c55d9d3f4652da950e8d8d76ee5ec314550a62620056296c8fbbd41dbcd95265e2a88166e00cbe08d76af0125d48fe457825057f53edecb7704c424b07a29
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
218B
MD5769379c271ce6f828766bf0e21a9cddb
SHA1b9206f78b30b23be76247fec68edae0f9a3c8460
SHA25680ac3bb1a3258f5c769ca691604f507495d17d2c105dbcc6ffd1e30e8a21d299
SHA512c57256b2a7bac9fa21d8d6731d14a4fd35646af26f5c551da4e318008067a625d9fe1bd2fda78443086f281fabdf4eced06c93496bf83f5b19bf7f3fe83be606
-
Filesize
218B
MD5346c8398dee58188e6a1c17e5dd6a6af
SHA1c4df952830e3f8e557be2002c885bfd2c646441c
SHA2566569ca4f1ac0d96ce0c89d20264cc973cebb4eace227f77aa05f8262c5f47fe4
SHA51283559ea483ce8e2bfe34dab61c903f3a25e8bd9df84af41426d99b077f43dedb2ffe6d7240bc132cdb0a2142ff9c8adee97c0f0a89daae4ded57084ff8f07f4c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
218B
MD56f2826db4b7981c5a37af8878b737b3a
SHA11e774289eae4bbcb33e639a7a0aae9232819a805
SHA256e41dd16159591dae2cc89d8579a080c99225c4008507c16b86ac5387560d9c9f
SHA512d4cb354e99c63783538c04e6b423fa231e87176341bc4c5a03e292dab4379d9025d7e893e5266eb38c83e59f22d7c6412ab50326ca9d28727e2b21ae21df2b13
-
Filesize
218B
MD509ccc902fd439d6b4cec1c475ed771af
SHA162572be7959244ee265512be14172fbb82f93a13
SHA2568eb65aaadd6bf9cf4f86aaecc9b8e7b8a7d3b357084d617bcb06e045ab187217
SHA512489a4405286f4d9749505b9e071f467ad3db17c4d494479eb51543cdbd6e46b373184a17141ee4f6c428660b1223677709234b10fd0bcc935404fd5e4c0bd743
-
Filesize
218B
MD50bd7053e09099e71a63ce786f9e98178
SHA15716d6b519be060cb824509b66b5d68a8c359a6f
SHA2565367d3ea97ce1f0fc7b96cafe6347dad8dd19fc641c8e06b52d78e67dffc7548
SHA512e9b25834ee9ad0328f39f9bb560ae24bdcfce021839cb3887e99815ef5024ab226ac6d657bbb26c3ef51200a606e5cb5ef4505b8f12096837b038d5877388a40
-
Filesize
218B
MD5efbea8fdaabf81ae7d89dae3b759fd35
SHA1d1211c094778ae4eec6a7bfe5973d9d9d61e7ac6
SHA256c695ae1a68ebc76c3718c74ed9dca5abf1e0303cd05679c1ca12935c5ef78e7a
SHA51207a0048d1af1206a1a340206132a1c87dd93644a1b9fd797029d1df813cd410809fa41bf6d29290cc3c1bc62adfefc75792369ca7d54aafc34354c7e37f2204c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f0a8975ca3b7489b1efcfbde07f26733
SHA159c827a85a3e64e9eecbfc484945906199dae358
SHA2567de7456746c93ec99e5b853b68d0ae730b57372b58db18ad0a584c3fb212983c
SHA51270ecd74feff4730848fe6805667239394d1b11c3ecfdae4246b429445fda263446ba7b4721c79dad61bcaa0550d4dcc22dac3fd77b32c1d6db9a33ae1b50134b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394