Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:09
Behavioral task
behavioral1
Sample
JaffaCakes118_acfbdf8a1a79bb115900601b536b50c9215637691216bd7ef637fe4f773a2d01.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_acfbdf8a1a79bb115900601b536b50c9215637691216bd7ef637fe4f773a2d01.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_acfbdf8a1a79bb115900601b536b50c9215637691216bd7ef637fe4f773a2d01.exe
-
Size
1.3MB
-
MD5
41e4544fcbf1e1403903d27901b6eedb
-
SHA1
95a3d3c6a244e74cffa420fa9dcc83a10e5472a5
-
SHA256
acfbdf8a1a79bb115900601b536b50c9215637691216bd7ef637fe4f773a2d01
-
SHA512
15f32f44efc4a3238ae771b370b6c637821d4c778584babe2695e921244af077f259309e6cf3a85b384f34fc35a32ecbb0673025b32d0f15e7a53a3cb07e8e3b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 2820 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016d36-9.dat dcrat behavioral1/memory/2660-13-0x00000000008A0000-0x00000000009B0000-memory.dmp dcrat behavioral1/memory/2000-59-0x0000000000280000-0x0000000000390000-memory.dmp dcrat behavioral1/memory/2612-118-0x0000000000290000-0x00000000003A0000-memory.dmp dcrat behavioral1/memory/2884-178-0x0000000001050000-0x0000000001160000-memory.dmp dcrat behavioral1/memory/1040-474-0x0000000000070000-0x0000000000180000-memory.dmp dcrat behavioral1/memory/1376-534-0x0000000000AD0000-0x0000000000BE0000-memory.dmp dcrat behavioral1/memory/1628-594-0x0000000000C90000-0x0000000000DA0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 896 powershell.exe 1948 powershell.exe 1652 powershell.exe 2520 powershell.exe 2264 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2660 DllCommonsvc.exe 2000 services.exe 2612 services.exe 2884 services.exe 2124 services.exe 1928 services.exe 1768 services.exe 1000 services.exe 1040 services.exe 1376 services.exe 1628 services.exe -
Loads dropped DLL 2 IoCs
pid Process 1808 cmd.exe 1808 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 36 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 22 raw.githubusercontent.com 33 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\slmgr\0C0A\conhost.exe DllCommonsvc.exe File created C:\Windows\System32\slmgr\0C0A\088424020bedd6 DllCommonsvc.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\audiodg.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\taskhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\b75386f1303e64 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_acfbdf8a1a79bb115900601b536b50c9215637691216bd7ef637fe4f773a2d01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2852 schtasks.exe 1992 schtasks.exe 2652 schtasks.exe 2984 schtasks.exe 1720 schtasks.exe 2064 schtasks.exe 2576 schtasks.exe 2548 schtasks.exe 888 schtasks.exe 1516 schtasks.exe 1800 schtasks.exe 1232 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2660 DllCommonsvc.exe 2264 powershell.exe 1948 powershell.exe 1652 powershell.exe 896 powershell.exe 2520 powershell.exe 2000 services.exe 2612 services.exe 2884 services.exe 2124 services.exe 1928 services.exe 1768 services.exe 1000 services.exe 1040 services.exe 1376 services.exe 1628 services.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2660 DllCommonsvc.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 2000 services.exe Token: SeDebugPrivilege 2612 services.exe Token: SeDebugPrivilege 2884 services.exe Token: SeDebugPrivilege 2124 services.exe Token: SeDebugPrivilege 1928 services.exe Token: SeDebugPrivilege 1768 services.exe Token: SeDebugPrivilege 1000 services.exe Token: SeDebugPrivilege 1040 services.exe Token: SeDebugPrivilege 1376 services.exe Token: SeDebugPrivilege 1628 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 548 wrote to memory of 1760 548 JaffaCakes118_acfbdf8a1a79bb115900601b536b50c9215637691216bd7ef637fe4f773a2d01.exe 31 PID 548 wrote to memory of 1760 548 JaffaCakes118_acfbdf8a1a79bb115900601b536b50c9215637691216bd7ef637fe4f773a2d01.exe 31 PID 548 wrote to memory of 1760 548 JaffaCakes118_acfbdf8a1a79bb115900601b536b50c9215637691216bd7ef637fe4f773a2d01.exe 31 PID 548 wrote to memory of 1760 548 JaffaCakes118_acfbdf8a1a79bb115900601b536b50c9215637691216bd7ef637fe4f773a2d01.exe 31 PID 1760 wrote to memory of 1808 1760 WScript.exe 32 PID 1760 wrote to memory of 1808 1760 WScript.exe 32 PID 1760 wrote to memory of 1808 1760 WScript.exe 32 PID 1760 wrote to memory of 1808 1760 WScript.exe 32 PID 1808 wrote to memory of 2660 1808 cmd.exe 34 PID 1808 wrote to memory of 2660 1808 cmd.exe 34 PID 1808 wrote to memory of 2660 1808 cmd.exe 34 PID 1808 wrote to memory of 2660 1808 cmd.exe 34 PID 2660 wrote to memory of 896 2660 DllCommonsvc.exe 48 PID 2660 wrote to memory of 896 2660 DllCommonsvc.exe 48 PID 2660 wrote to memory of 896 2660 DllCommonsvc.exe 48 PID 2660 wrote to memory of 2264 2660 DllCommonsvc.exe 49 PID 2660 wrote to memory of 2264 2660 DllCommonsvc.exe 49 PID 2660 wrote to memory of 2264 2660 DllCommonsvc.exe 49 PID 2660 wrote to memory of 1948 2660 DllCommonsvc.exe 50 PID 2660 wrote to memory of 1948 2660 DllCommonsvc.exe 50 PID 2660 wrote to memory of 1948 2660 DllCommonsvc.exe 50 PID 2660 wrote to memory of 1652 2660 DllCommonsvc.exe 51 PID 2660 wrote to memory of 1652 2660 DllCommonsvc.exe 51 PID 2660 wrote to memory of 1652 2660 DllCommonsvc.exe 51 PID 2660 wrote to memory of 2520 2660 DllCommonsvc.exe 53 PID 2660 wrote to memory of 2520 2660 DllCommonsvc.exe 53 PID 2660 wrote to memory of 2520 2660 DllCommonsvc.exe 53 PID 2660 wrote to memory of 1352 2660 DllCommonsvc.exe 58 PID 2660 wrote to memory of 1352 2660 DllCommonsvc.exe 58 PID 2660 wrote to memory of 1352 2660 DllCommonsvc.exe 58 PID 1352 wrote to memory of 1644 1352 cmd.exe 60 PID 1352 wrote to memory of 1644 1352 cmd.exe 60 PID 1352 wrote to memory of 1644 1352 cmd.exe 60 PID 1352 wrote to memory of 2000 1352 cmd.exe 61 PID 1352 wrote to memory of 2000 1352 cmd.exe 61 PID 1352 wrote to memory of 2000 1352 cmd.exe 61 PID 2000 wrote to memory of 880 2000 services.exe 62 PID 2000 wrote to memory of 880 2000 services.exe 62 PID 2000 wrote to memory of 880 2000 services.exe 62 PID 880 wrote to memory of 1564 880 cmd.exe 64 PID 880 wrote to memory of 1564 880 cmd.exe 64 PID 880 wrote to memory of 1564 880 cmd.exe 64 PID 880 wrote to memory of 2612 880 cmd.exe 65 PID 880 wrote to memory of 2612 880 cmd.exe 65 PID 880 wrote to memory of 2612 880 cmd.exe 65 PID 2612 wrote to memory of 628 2612 services.exe 66 PID 2612 wrote to memory of 628 2612 services.exe 66 PID 2612 wrote to memory of 628 2612 services.exe 66 PID 628 wrote to memory of 2880 628 cmd.exe 68 PID 628 wrote to memory of 2880 628 cmd.exe 68 PID 628 wrote to memory of 2880 628 cmd.exe 68 PID 628 wrote to memory of 2884 628 cmd.exe 69 PID 628 wrote to memory of 2884 628 cmd.exe 69 PID 628 wrote to memory of 2884 628 cmd.exe 69 PID 2884 wrote to memory of 844 2884 services.exe 70 PID 2884 wrote to memory of 844 2884 services.exe 70 PID 2884 wrote to memory of 844 2884 services.exe 70 PID 844 wrote to memory of 2828 844 cmd.exe 72 PID 844 wrote to memory of 2828 844 cmd.exe 72 PID 844 wrote to memory of 2828 844 cmd.exe 72 PID 844 wrote to memory of 2124 844 cmd.exe 73 PID 844 wrote to memory of 2124 844 cmd.exe 73 PID 844 wrote to memory of 2124 844 cmd.exe 73 PID 2124 wrote to memory of 544 2124 services.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acfbdf8a1a79bb115900601b536b50c9215637691216bd7ef637fe4f773a2d01.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acfbdf8a1a79bb115900601b536b50c9215637691216bd7ef637fe4f773a2d01.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\slmgr\0C0A\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljB2CZO3KL.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1644
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1564
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2880
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2828
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"13⤵PID:544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2204
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"15⤵PID:2604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1508
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"17⤵PID:2788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:888
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"19⤵PID:2600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1900
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"21⤵PID:2988
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:652
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"23⤵PID:2876
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2036
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"25⤵PID:1380
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\slmgr\0C0A\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\slmgr\0C0A\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\slmgr\0C0A\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a7806f73e9ca4a40f74e962e4e2e9fcb
SHA1684316e9bc3775ac8606cbbb3a2e758c66beef50
SHA256ebcb1c48bb84a607faa122b0ad43836da7b2e3f0a7a2e9b54ffb8486ebcc1821
SHA5124ba735eed9bd6788aefd32dcd2d6c1eace55e2cb80c5380b27296eedc29c3ea7f22eaaf36c813509b932d269e83a67fd127ea6217b1c0d446b967daae9913711
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a93fddc82bbc5004b42bddea48e6b53
SHA1af2f529ec021780c41a5d883bf426b31b9dd4c0c
SHA2565e6bf96a5d6ea5959bf8f8c5b16e930d63d3f5865dadf1bb25ecfc57768d6435
SHA512b58161480807c731dbcf70e164eaa02f381876bbe0c0efb9bf3058a77962dc53422dbf80473adc811da2c3597e297a5d70a9bb2f5d0b34ef7f4256725528d405
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cae34eb33059b91922a9137988fd9997
SHA1341d767b7a7e3ec4ff4941b038f1bd6f56863e3e
SHA2563ba357674f82e6de5114e434c2a52c8074efd3fb08e0e1e3e35f49dc826ab08b
SHA512bba7e4a514c7a13fef1207a9ae8d708674ae40bbaf29ba5865cdf3aac780949de9b069d21845c7c9245a7f3179a165481a9559afdb21bf0fb00b39c72b2f131d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54e982bed8431a7f5601af1d23d3d4c19
SHA187662ee994eef440416ba68e1921ba09cd139840
SHA2560b142ec04837899351d652897878cd8d61846d598a868bfcfe440ae7c538d359
SHA51220641ec6186d9d928498f21fc39e3fa683626346f1bfc0456509d6f01102897406cb1331d82141b615399165d187393ef98202ec206d510c1aff2fa88c27a14d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54b48c938cb43249e89ed8fde5e596aef
SHA11dc025549b072e5e8200d344b5a4d6a610129934
SHA256dc784cdb23d087103d532c0f44d8aa08c45c11782598156ab718430c899fc0ba
SHA5124b25a675e39213be8c15a04d78d9d752cc0ec9351f2074a74d4f87eb5d85b1d5910d3340751b52ff07fc2905001e37f8bee509308ee55fa5d01419acbac0688a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5deaf067ff39eb8990b397500e01d8b52
SHA1f4b591f9136fef4bc68e9759412c9c1e98016aa0
SHA2569d80290eb390fac98ace27e7cae5ed86fdf488ccbabef8356a81724b8aaddfc7
SHA5122a852b4dad3dd3abae6bc0a2f5ea877bcfd2f82fcd1c5ccbcc290ff27a32f185822294f8c8396f1573770a119163a9b28b2ff26115374c2b02c447473f2ffb1a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD535b1fb9adf6ff49e2a8bc00bb68dab74
SHA1aa035ce48f602d209a20c61cfe065de85ae758fc
SHA2565f834b3b78b42bab9973d4fb3b6e1c650acd599ae5b8342c7aa3e1c9b7278428
SHA512bc57c48d88a978254d4b0acd35ebec0873a15afc44cf18ced75019b40022ab6f9a8715ed96b31434173d75414ddafb23ae35b129e174acc7cae27c78acc1be2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD539b223928e59ef9c2e6bb618467b55b7
SHA111afb955ea0eec06927498e33edba2ea074515e5
SHA256800aac2d12afb1129c1615f46f57a816677d9751097db0e31768feeff396a6e4
SHA5124aadd16264fcf7ef0969ab11e1ca61705ac047ff1aed2dac72a36a4d6bc22768535d2444facf85e85b553c592ae6d4d07053bf15d5a1ad127e043c9ea0e13489
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a1925bf7828632e3cd892cd50f74d516
SHA1098d9c968b2ac696f187f582680085029871fc9e
SHA256af08f9747def3fe7a709ed08b996ff0180dc9b89b735e993dff21ae6cdc2b9ce
SHA5127ccccb13751fccd625644a12c0a83d683ac7a16af109103c3b48b02ef7149ea3c41fea075863f6845585a666d1a2e80f99fb26a6a8c134a706bf8edc38587f48
-
Filesize
240B
MD5b2321112bcbc000159c1693731cdd505
SHA1d6d042fc0cde7111f03be2f53f60bcc84f01a767
SHA256d8d1403ade2dd26a843efe2b7243a8f92f3b7f23acf53d970b89cf8998c3a928
SHA5127c2b477b63569b929ecafdd8068600fdace9a12452d0b9dbf3787916f1b06000f53fc03d25a0da364b805e0650d831c1ad8f328e2c953e508a706a5b56c3a74c
-
Filesize
240B
MD511be449907430abdb96a50dcf90fc190
SHA187fd68413fa1f8bd00e679756c1ea81cc0d85a59
SHA256fffc02d2d113b9418d367bef61174653c8109f1ad755f4986c3ea384985aa597
SHA512ef6409d4a880fe5cfb29fc4d094f02fbce886593b2b8c86363076bb61c7c875f3de556be1ea64bf28c7adefdee185294129430f1c4158d9e3322526e07b29fc9
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
240B
MD58ed29f5bd01321b2b399d404e4ddb5b3
SHA18c3f427e8c791476bc6a0d1ebb851c8b3d961d7b
SHA256d70f1865406054006572a3f19a836f36690e77bb297ca55f12ed52a61cf6fba9
SHA51217789e6e421aed6c8ed456f6dd8c2fe48996d2f8cf8923268c0e6e74a01b470caef8ba9e0864565956c284db4e3b7508a58692196ce2aeb8ccfde033f7315a22
-
Filesize
240B
MD5a91b5e15f8da5f79ec6714748ccdb40e
SHA14dbde55467952edbd8ad6c83c897afb4b532140f
SHA256e5666691569a02ce459173daebdc8b660b9fb084112ec4fa42972e0e6b4b6bd2
SHA512a9bc713c6540b87a9bc14b4545b6536ec1724977bcc2e5815640554338372bb9e53d74474c6eae7f7ae68e8218e25131ed02e93f878437d7277d6c87ed414b0e
-
Filesize
240B
MD5636d3fc8f5944db918f01c3ed474edab
SHA11a1c04277531e4f10d49a7e1da6ae9177d1f7771
SHA2566edbf1ebf9ad3a4dc2cb2239595ca835a99d489246ffa0d5b783ff01a8bbc92b
SHA5126ad03bfd6d36900660b7b6d4a0d161f2600af032ff2f0ac8f400f246f0bcc29fe43c29a1b382d12291032ac89d91791ab1b84f54ad5d7f15fda91f14e513ec45
-
Filesize
240B
MD5b7947fa2507782009ea39ed18f9e3318
SHA1db551b012b5c5dce6e8a11056e5597d1fd28a682
SHA256216da628cfd44a6c5238bcac9f5e389e7defe94c3423d36269464e121f9aa59c
SHA512d3f8e240ce306e6355eb07218305151f283a9f961e24d36dbcee30a381914da242ef8ee279076abc8bb933aa35691713b5c84dc00cd1bceae6f50ef7f1b5ae24
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
240B
MD5c7e1694e64a4f4d42fa8a1a2600a9f3f
SHA10f7cdbbd223af55c34f4849b1a3e30cc1d87ffd9
SHA2566173fdfd24cf7e53c0dfcf65dc79dc836dfceda1dfe43604ec2099aa3d00d7b9
SHA5129597479d4d2b2abdab1eaa0b94b1e6e1862824363a25391a9a836bee9889c81d3d16ad3db9dac30296c8261320893a6f4d6d377f482de10f4aa70a6dd00372e7
-
Filesize
240B
MD581fa8842ec7cf775e728816ce8e829ba
SHA15b310c002c847bdb13d9febd0cdd1cfc4717cb3d
SHA256e17d252c39ed86ff30262afd2013ef2124e08f4a9d2d60a4dfad454f6bb82d34
SHA512e95c9c15e7f18021ab168b4177fb5dc3007bd1d6d8c977ab80029f1d8c6d9641f3bc31590397a8a909cbcf7539950dc201fe07f912c3a6ba24e2ed85d00918db
-
Filesize
240B
MD5fc75b72f1498744d07a85dbf0dc2d6b4
SHA1848c151730a89ee5c91ea302848e1e0326a5d7d3
SHA25687a8b1a2d9df2afaf02a872413a80751728b716346ec34e5a3220405f0022648
SHA51242c55dd8869bb8cf01b2566e80699f3d0f8a1e5ea5e510616014f43ca3aaef18af82877067aa3d452e350f11a65c0230940d714a75fa676257c4a1ea5e3bddc1
-
Filesize
240B
MD595f585d2178ba0da125c656ca7c765ef
SHA1849f675256d06633cde406a76c10db03e2c1273e
SHA256ff6ca5daa273239cd6ac6ca07c76ecdbf074431015d5fb6bdc1768d48c112de5
SHA5120fa2c3d98f33ad44ae0220ccb555fe8764e09002e2e7fc8481f04d1954ec592a5bc39143b59a72633c4f36180fb87cb54626177450eb108ebb4eea7cfc4f2dab
-
Filesize
240B
MD58b24682b5f8da79cee38145d18747b30
SHA16b5a4d44438b751bb7b0db659d9b969e5b3a7ec3
SHA256d2c74eadc2b6ca5936c37b2d6504ccaa6205b199394a860c530f6d7815880d50
SHA512f4c163d9906f414b1e518c6ed5b8f92695ff55d81b3aa455a40fa75344d87c884e67679e847c5af18344f194306f05e6833b52cfa0ef08f1931c91249f95298d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59e6c88d6539580043bc564dab51303af
SHA1c1a622dfb17cd6ff61325e47e042d0bbe45ecde9
SHA256ae35f060afee313791e8f1590a2569ca21b458dda5a062d87941a64fdc9193b0
SHA512eed7c289e41f62a8cc5b2f2dce40058d2f685424e5af717134670723da53334f5b6ead506bf789c02dce01cc6bb7f33fc2afd5d5a97a4558a80b48773b910c8d
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394