Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:39
Behavioral task
behavioral1
Sample
JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe
-
Size
1.3MB
-
MD5
f0204b2ae05cf8c9a03a948357d10472
-
SHA1
5d3ef52a49b1eac17f9a4019733d0988b4e90b74
-
SHA256
c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23
-
SHA512
169acd36e74a82c7d4a7ef71dcd01648498b6449fc9e058999a3b84776c941834567feea06b5d00854806b966fef13eadce502eda15f61814288c5c7526428af
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2828 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016458-10.dat dcrat behavioral1/memory/3032-13-0x0000000000C70000-0x0000000000D80000-memory.dmp dcrat behavioral1/memory/1768-61-0x00000000002A0000-0x00000000003B0000-memory.dmp dcrat behavioral1/memory/1800-142-0x0000000000C60000-0x0000000000D70000-memory.dmp dcrat behavioral1/memory/812-203-0x0000000000160000-0x0000000000270000-memory.dmp dcrat behavioral1/memory/3032-263-0x0000000000910000-0x0000000000A20000-memory.dmp dcrat behavioral1/memory/1724-323-0x0000000000A80000-0x0000000000B90000-memory.dmp dcrat behavioral1/memory/2364-560-0x0000000000CF0000-0x0000000000E00000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2476 powershell.exe 1384 powershell.exe 872 powershell.exe 1288 powershell.exe 2484 powershell.exe 2076 powershell.exe 2192 powershell.exe 1700 powershell.exe 2560 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 3032 DllCommonsvc.exe 1768 audiodg.exe 1800 audiodg.exe 812 audiodg.exe 3032 audiodg.exe 1724 audiodg.exe 1780 audiodg.exe 1008 audiodg.exe 1768 audiodg.exe 2364 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2672 cmd.exe 2672 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 4 raw.githubusercontent.com 9 raw.githubusercontent.com 33 raw.githubusercontent.com 30 raw.githubusercontent.com 5 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\hr-HR\audiodg.exe DllCommonsvc.exe File created C:\Windows\SysWOW64\hr-HR\42af1c969fbb7b DllCommonsvc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\SIGNUP\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\SIGNUP\24dbde2999530e DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe DllCommonsvc.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1696 schtasks.exe 2996 schtasks.exe 2888 schtasks.exe 1388 schtasks.exe 2508 schtasks.exe 632 schtasks.exe 1920 schtasks.exe 2128 schtasks.exe 1928 schtasks.exe 2968 schtasks.exe 2880 schtasks.exe 2268 schtasks.exe 1900 schtasks.exe 2596 schtasks.exe 1904 schtasks.exe 2144 schtasks.exe 1036 schtasks.exe 2344 schtasks.exe 2440 schtasks.exe 2696 schtasks.exe 2704 schtasks.exe 2416 schtasks.exe 2372 schtasks.exe 2132 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 3032 DllCommonsvc.exe 2476 powershell.exe 872 powershell.exe 2560 powershell.exe 1288 powershell.exe 2192 powershell.exe 2484 powershell.exe 1384 powershell.exe 2076 powershell.exe 1700 powershell.exe 1768 audiodg.exe 1800 audiodg.exe 812 audiodg.exe 3032 audiodg.exe 1724 audiodg.exe 1780 audiodg.exe 1008 audiodg.exe 1768 audiodg.exe 2364 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 3032 DllCommonsvc.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 1288 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 1768 audiodg.exe Token: SeDebugPrivilege 1384 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 1800 audiodg.exe Token: SeDebugPrivilege 812 audiodg.exe Token: SeDebugPrivilege 3032 audiodg.exe Token: SeDebugPrivilege 1724 audiodg.exe Token: SeDebugPrivilege 1780 audiodg.exe Token: SeDebugPrivilege 1008 audiodg.exe Token: SeDebugPrivilege 1768 audiodg.exe Token: SeDebugPrivilege 2364 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2784 2492 JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe 30 PID 2492 wrote to memory of 2784 2492 JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe 30 PID 2492 wrote to memory of 2784 2492 JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe 30 PID 2492 wrote to memory of 2784 2492 JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe 30 PID 2784 wrote to memory of 2672 2784 WScript.exe 31 PID 2784 wrote to memory of 2672 2784 WScript.exe 31 PID 2784 wrote to memory of 2672 2784 WScript.exe 31 PID 2784 wrote to memory of 2672 2784 WScript.exe 31 PID 2672 wrote to memory of 3032 2672 cmd.exe 33 PID 2672 wrote to memory of 3032 2672 cmd.exe 33 PID 2672 wrote to memory of 3032 2672 cmd.exe 33 PID 2672 wrote to memory of 3032 2672 cmd.exe 33 PID 3032 wrote to memory of 2484 3032 DllCommonsvc.exe 59 PID 3032 wrote to memory of 2484 3032 DllCommonsvc.exe 59 PID 3032 wrote to memory of 2484 3032 DllCommonsvc.exe 59 PID 3032 wrote to memory of 2476 3032 DllCommonsvc.exe 60 PID 3032 wrote to memory of 2476 3032 DllCommonsvc.exe 60 PID 3032 wrote to memory of 2476 3032 DllCommonsvc.exe 60 PID 3032 wrote to memory of 2560 3032 DllCommonsvc.exe 62 PID 3032 wrote to memory of 2560 3032 DllCommonsvc.exe 62 PID 3032 wrote to memory of 2560 3032 DllCommonsvc.exe 62 PID 3032 wrote to memory of 1700 3032 DllCommonsvc.exe 63 PID 3032 wrote to memory of 1700 3032 DllCommonsvc.exe 63 PID 3032 wrote to memory of 1700 3032 DllCommonsvc.exe 63 PID 3032 wrote to memory of 2192 3032 DllCommonsvc.exe 64 PID 3032 wrote to memory of 2192 3032 DllCommonsvc.exe 64 PID 3032 wrote to memory of 2192 3032 DllCommonsvc.exe 64 PID 3032 wrote to memory of 1384 3032 DllCommonsvc.exe 67 PID 3032 wrote to memory of 1384 3032 DllCommonsvc.exe 67 PID 3032 wrote to memory of 1384 3032 DllCommonsvc.exe 67 PID 3032 wrote to memory of 1288 3032 DllCommonsvc.exe 69 PID 3032 wrote to memory of 1288 3032 DllCommonsvc.exe 69 PID 3032 wrote to memory of 1288 3032 DllCommonsvc.exe 69 PID 3032 wrote to memory of 872 3032 DllCommonsvc.exe 70 PID 3032 wrote to memory of 872 3032 DllCommonsvc.exe 70 PID 3032 wrote to memory of 872 3032 DllCommonsvc.exe 70 PID 3032 wrote to memory of 2076 3032 DllCommonsvc.exe 71 PID 3032 wrote to memory of 2076 3032 DllCommonsvc.exe 71 PID 3032 wrote to memory of 2076 3032 DllCommonsvc.exe 71 PID 3032 wrote to memory of 1768 3032 DllCommonsvc.exe 77 PID 3032 wrote to memory of 1768 3032 DllCommonsvc.exe 77 PID 3032 wrote to memory of 1768 3032 DllCommonsvc.exe 77 PID 1768 wrote to memory of 2024 1768 audiodg.exe 78 PID 1768 wrote to memory of 2024 1768 audiodg.exe 78 PID 1768 wrote to memory of 2024 1768 audiodg.exe 78 PID 2024 wrote to memory of 2952 2024 cmd.exe 80 PID 2024 wrote to memory of 2952 2024 cmd.exe 80 PID 2024 wrote to memory of 2952 2024 cmd.exe 80 PID 2024 wrote to memory of 1800 2024 cmd.exe 81 PID 2024 wrote to memory of 1800 2024 cmd.exe 81 PID 2024 wrote to memory of 1800 2024 cmd.exe 81 PID 1800 wrote to memory of 2596 1800 audiodg.exe 82 PID 1800 wrote to memory of 2596 1800 audiodg.exe 82 PID 1800 wrote to memory of 2596 1800 audiodg.exe 82 PID 2596 wrote to memory of 2756 2596 cmd.exe 84 PID 2596 wrote to memory of 2756 2596 cmd.exe 84 PID 2596 wrote to memory of 2756 2596 cmd.exe 84 PID 2596 wrote to memory of 812 2596 cmd.exe 85 PID 2596 wrote to memory of 812 2596 cmd.exe 85 PID 2596 wrote to memory of 812 2596 cmd.exe 85 PID 812 wrote to memory of 2220 812 audiodg.exe 86 PID 812 wrote to memory of 2220 812 audiodg.exe 86 PID 812 wrote to memory of 2220 812 audiodg.exe 86 PID 2220 wrote to memory of 2792 2220 cmd.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\hr-HR\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\SysWOW64\hr-HR\audiodg.exe"C:\Windows\SysWOW64\hr-HR\audiodg.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2952
-
-
C:\Windows\SysWOW64\hr-HR\audiodg.exe"C:\Windows\SysWOW64\hr-HR\audiodg.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2756
-
-
C:\Windows\SysWOW64\hr-HR\audiodg.exe"C:\Windows\SysWOW64\hr-HR\audiodg.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2792
-
-
C:\Windows\SysWOW64\hr-HR\audiodg.exe"C:\Windows\SysWOW64\hr-HR\audiodg.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"12⤵PID:2060
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:952
-
-
C:\Windows\SysWOW64\hr-HR\audiodg.exe"C:\Windows\SysWOW64\hr-HR\audiodg.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"14⤵PID:1940
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1040
-
-
C:\Windows\SysWOW64\hr-HR\audiodg.exe"C:\Windows\SysWOW64\hr-HR\audiodg.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"16⤵PID:872
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1960
-
-
C:\Windows\SysWOW64\hr-HR\audiodg.exe"C:\Windows\SysWOW64\hr-HR\audiodg.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"18⤵PID:2800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1140
-
-
C:\Windows\SysWOW64\hr-HR\audiodg.exe"C:\Windows\SysWOW64\hr-HR\audiodg.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"20⤵PID:2000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1480
-
-
C:\Windows\SysWOW64\hr-HR\audiodg.exe"C:\Windows\SysWOW64\hr-HR\audiodg.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"22⤵PID:1972
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\hr-HR\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\SysWOW64\hr-HR\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\hr-HR\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51d605798e0c53840ae7b8775cae08f60
SHA151c4a6b1bef8d258bca232d51d3111fe1eaed246
SHA256e05676473c6b51e5bd860ae9043b2c9fd9352f507512cfb9edb7437ead014916
SHA512b6d37d27e47195528f68bdd85ea15cbcbe33c48770e601ee912a23134cfa325d9d779198de22ac81e377c0af0fcd7aa8ec6ebf72978be9da2e6121e448476eb2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ccfb158fa26bd7c11ddfcec03b9e487d
SHA1756fc3a3ba2c961357a17aa712dd7142efa2f51d
SHA256bd0c505a85e8b1b51cde57d495df39b093099aa2bbb9c7c846a93d0d48741d2b
SHA51230bc4715b4fba2b7d3d7653078963a578d12a93c3fd23bdd7b094018513681b259fe3f7867ef5efff244fc665a747753ef01d66919fae58178fddb49564f7f58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5641e14660fbe0e0bea69a8cb5e16a4c4
SHA1baac41e3b7206c53242e4b9f298bd74d7b63c9a8
SHA256ec73b280fcb12be1fcf888c830130586f80bb4a4da710444d8de52fdc83a052a
SHA51256ea218659ea5649ee20f82c7c967ec3ac461f34a7c7ef9b41c8e28881b36c3a2870177bd0f7b8ebd93fca48865503e80ba1e203d348c7c78c6216bdb1a1ec57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d8194515f60761908f07c86ad72942b8
SHA1c2fac667ef77d3d6656bc80d3d6e1916d78ae194
SHA2566b709e29ead23250035bd06d509b655cf43bf11ac6c5143f1c91d7ee9c09e6df
SHA512aed4d6136962d3ec2edff798899a41b0a32006b5be61b15e306036282ddeb9c1dd40c3285983168615e837c360a9f2dcc619d6d995d1c6cca3eebffba0db3fff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD524d04e575abd1b14e07824ef89e64ce2
SHA125d9c74b2b9f872f71eb0acb12d2199cdd335828
SHA256f817da5f5e21a7f3472a1ae1c49967fac49d998c0bca3792844a9f71a22b07d1
SHA5126c0e0e5f9f675129996f7f3ebb701ecf787f98303c283da001ab352213c2b885bb3b643295921ee9726b9009e81e66a7956e05ed78cbc049bae394b4c459bc15
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD573f78c69aa23f56ebaf0e1155010db84
SHA1d699c016509a4d13e5c9bf0f33e773bc623f7b32
SHA2566c02740887fc713ed1a5069d49bd7866cd7fa3d6eec98de6e0f6c75f445fc044
SHA5127eb976ada32b22188f0d7891878d1f94f3246bfc068a96cc7333ec591a6c2f07720830403786420b053e7bbee11d4b0503a0a55593d409732cf5baf6bdc35e9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55b6dae8ec18f008f28d5b1351446272f
SHA1cd4918acbd15f39cde548c6cb1c947d48027fb91
SHA2566633a3efff7e086160dd201d0c81f642fd833122b40fa3cecfaaefdc946902ed
SHA5126c6954354a81b6cb987af8c73dd446f5a85eba288fa048a42995692e56f16aaf6078c818b4ea2d62b881eb74dabf0dae99c16aa53c2f800300739e109665429d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD579cc573a277146290548ee2e9ae51339
SHA10330905035caa0682de25d171bbbd773ab67b86b
SHA25658680f59fdb620b381f1a13e7bf4c87718d573a724b7fb2768cb90ec1dc913ad
SHA51214db6854b08c414831de73de9909b129fd06d2cf8ab798b68646fa7a73460f1fedee178f724648c21320adf79da3f16a74f33a4ca4e0c2061b2582579cbede4d
-
Filesize
202B
MD582529354801eb622bcc1c3ce62673b50
SHA13d384866685dc3e554f847f92ad302435fb2bc3a
SHA25671f8cef4089e700660a149a1aff0f26b5223d5e50c9ed588880da937513b0450
SHA5120dd1cbff5af4565fbf46cf7f4f3acce1cda780c4fd9bb7b39850b26a0f62c831ed2a5c9f8714931a23973e2d3dda61f83f80e108f8e6aff0a94b98ce87ffc24a
-
Filesize
202B
MD54f67eddb47baad45a87021cde99916ce
SHA14eef16ba260c9b63f1510e8421792566f9db0f31
SHA25673041335835951797362b0dec0cc52c58f6f023203b52c01e89f603af10583d3
SHA512997c36da0201ceab71207a916ccdb270a3b89c1cdcb24ecc71cdeb1d67f524cc0efbf6ec75c6cb456d31dba2ecd6773c690606b71ceb7c087e05ab150bfb06b7
-
Filesize
202B
MD5c383ffdeb01cece96d723563319035d7
SHA1119b24bf621e90c7a3f710092d79266a3dbe2e99
SHA25695268b0af90a9c9770fc9a2152014b97a94f203944025fbbf452c1af3b3ba5c4
SHA512e3df783dbf3d586fb4916394441eb7dc9ab5ac61c4cffff05675e2e96423c70ec18bec1adc1fba2de25033cfae52926140246708c3f3876860928e140b5a21b2
-
Filesize
202B
MD53c579f831e2d4afff86bad066c748d7b
SHA1e94db48166b315b12e55ba0fc27f7d78f8bf5c43
SHA2565f032898d71cb403114373fae85fb2524a7fe076be2749fc644ae475ccbdf86f
SHA5121e66b2142c73c0f6a6fc837011b8a9b4776c2584376925c3cdcfa7d3385ce0ea8f6206d73a9dd542f0a7db18d1bfd81ebb7683e2bb9d7b3f32dd433fe93483b4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
202B
MD524768c8b0b8c05dee8a408ec00617ca6
SHA1c1ade052d9572c0298effc82883412c8ea430718
SHA256270b328511f16b03831815a9fdfdf425019a4ba62d4a4544378e37bd779e8d60
SHA51247577d9332f213850a9ae865825771c5cb35d057c73c30bed8efc0ad52a781adf37ce3fe08b99249895f11c48fc1fea83a37c25bd77d8e32c9a1e5604a31349f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
202B
MD52791fee5bcbd1eb3ad63231c5d254a82
SHA1ebcbe3868add7c040de0fbce375c8dd2f02098fc
SHA2566cc60aedf96501ede010b67f1f8d2961e18db8f888d86271143f15b3915465d7
SHA512f124ab156c713acfd5624521d45e0a0a12e3a6e31457c5e58876b49b656049a31268fabede347cc6e95075b22f5ad43517d53e7389f2f2681c3017af0fd950bf
-
Filesize
202B
MD54690b690cf267af67e2344518883ce56
SHA114a4f0435dcf62a3a351b65298689ce712afd803
SHA256b90fe8f1450a028c00eab44e4882ee9b8a26d90adf60aae5cdc48dfd035cf3ba
SHA5125c46e2c7ab97f392c6ff6da47d4b719622591bf6c5276dd6e51e4b644dd8024911306d25edb36d22c66f39c645241e67a57684ad9ac253baa8af917cc03af532
-
Filesize
202B
MD5777808a4d7595ba36c5ef860c4f97e9e
SHA10e67f73265cf8be5e09b1bedf8d5eb29ab824a33
SHA256ce683825c99d878f8201738bbf034135ae19c4b0672863be37bbf957fe987330
SHA512548c810ca2be6acea642c8ba75979477e40c8e140b9df47d18494a70d05625183d9f8db1482d1e7774619361b8d3be01df08e1d7ba2265382b673c65d8b49e5a
-
Filesize
202B
MD52dc5c537938b5833dbca2c2423610e75
SHA1f3859623f2f40c49ad37eb80fe69ac572d3cd0b1
SHA256b89fac543955cdaf31e445052fefd66e15aebd752bec7f68ab407a9f3d19853c
SHA51241dd108e3db739d2ca1b34c45ec58cd140f6689bacea422245690dfb6af64e2213413549055d3aaddc9eb2c574f49df571f5fcc22341fe291bccfb7d2d7ffcaa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OC0WE8HVXPABKZMO4PXE.temp
Filesize7KB
MD559637e93fd732c89117eb5dd94785732
SHA19d978c9afedda867657d9b4981800b4373a4baa7
SHA2569534b82e44eb84d6ee0cc82e962e75d964f6eb8aaa408162c3b30fbf9e9be870
SHA5120c8aa5c65ae47bd1b74eb000012ba9a6d7deb1bcc312ef53ce295dc3bbc2bc330436b00e3d9ea67943d7ea2ce023af64ba581509a6098776ed23ae81372f97f9
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478