Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:18
Behavioral task
behavioral1
Sample
JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe
-
Size
1.3MB
-
MD5
9e7d29317f6125aec032fdcbe57e757c
-
SHA1
494b26f63d453179ad8d747926254fcb14135f20
-
SHA256
20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177
-
SHA512
60f47c0a04c85034719ee49aa8bac9bca6799d67dbeab0b0dd6f3f9fad605dac977a286544a66ea0d326296ecf350f80d669d65ca86848dcd4899fa9037a8e29
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 652 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 2864 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000018766-9.dat dcrat behavioral1/memory/2960-13-0x0000000001370000-0x0000000001480000-memory.dmp dcrat behavioral1/memory/2976-77-0x0000000000D70000-0x0000000000E80000-memory.dmp dcrat behavioral1/memory/2528-136-0x0000000001160000-0x0000000001270000-memory.dmp dcrat behavioral1/memory/2556-316-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/3064-376-0x00000000009D0000-0x0000000000AE0000-memory.dmp dcrat behavioral1/memory/2408-436-0x0000000000A90000-0x0000000000BA0000-memory.dmp dcrat behavioral1/memory/340-496-0x0000000000CE0000-0x0000000000DF0000-memory.dmp dcrat behavioral1/memory/1960-556-0x0000000000F30000-0x0000000001040000-memory.dmp dcrat behavioral1/memory/2952-616-0x00000000011D0000-0x00000000012E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1976 powershell.exe 2532 powershell.exe 1972 powershell.exe 1956 powershell.exe 1616 powershell.exe 1980 powershell.exe 2396 powershell.exe 2388 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2960 DllCommonsvc.exe 2976 Idle.exe 2528 Idle.exe 2884 Idle.exe 340 Idle.exe 2556 Idle.exe 3064 Idle.exe 2408 Idle.exe 340 Idle.exe 1960 Idle.exe 2952 Idle.exe 2084 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 2852 cmd.exe 2852 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 13 raw.githubusercontent.com 17 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 37 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 20 raw.githubusercontent.com 24 raw.githubusercontent.com 27 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Google\Temp\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Temp\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\Internet Explorer\en-US\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\en-US\42af1c969fbb7b DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Web\Idle.exe DllCommonsvc.exe File created C:\Windows\Web\6ccacd8608530f DllCommonsvc.exe File created C:\Windows\tracing\services.exe DllCommonsvc.exe File created C:\Windows\tracing\c5b4cb5e9653cc DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2088 schtasks.exe 568 schtasks.exe 448 schtasks.exe 652 schtasks.exe 2692 schtasks.exe 2728 schtasks.exe 2476 schtasks.exe 2360 schtasks.exe 2528 schtasks.exe 784 schtasks.exe 676 schtasks.exe 2308 schtasks.exe 2996 schtasks.exe 2460 schtasks.exe 1048 schtasks.exe 832 schtasks.exe 2764 schtasks.exe 1420 schtasks.exe 332 schtasks.exe 3012 schtasks.exe 1132 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2960 DllCommonsvc.exe 1976 powershell.exe 1980 powershell.exe 1956 powershell.exe 2388 powershell.exe 1616 powershell.exe 2532 powershell.exe 1972 powershell.exe 2396 powershell.exe 2976 Idle.exe 2528 Idle.exe 2884 Idle.exe 340 Idle.exe 2556 Idle.exe 3064 Idle.exe 2408 Idle.exe 340 Idle.exe 1960 Idle.exe 2952 Idle.exe 2084 Idle.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2960 DllCommonsvc.exe Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 2976 Idle.exe Token: SeDebugPrivilege 2528 Idle.exe Token: SeDebugPrivilege 2884 Idle.exe Token: SeDebugPrivilege 340 Idle.exe Token: SeDebugPrivilege 2556 Idle.exe Token: SeDebugPrivilege 3064 Idle.exe Token: SeDebugPrivilege 2408 Idle.exe Token: SeDebugPrivilege 340 Idle.exe Token: SeDebugPrivilege 1960 Idle.exe Token: SeDebugPrivilege 2952 Idle.exe Token: SeDebugPrivilege 2084 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2152 2780 JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe 30 PID 2780 wrote to memory of 2152 2780 JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe 30 PID 2780 wrote to memory of 2152 2780 JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe 30 PID 2780 wrote to memory of 2152 2780 JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe 30 PID 2152 wrote to memory of 2852 2152 WScript.exe 31 PID 2152 wrote to memory of 2852 2152 WScript.exe 31 PID 2152 wrote to memory of 2852 2152 WScript.exe 31 PID 2152 wrote to memory of 2852 2152 WScript.exe 31 PID 2852 wrote to memory of 2960 2852 cmd.exe 33 PID 2852 wrote to memory of 2960 2852 cmd.exe 33 PID 2852 wrote to memory of 2960 2852 cmd.exe 33 PID 2852 wrote to memory of 2960 2852 cmd.exe 33 PID 2960 wrote to memory of 1616 2960 DllCommonsvc.exe 56 PID 2960 wrote to memory of 1616 2960 DllCommonsvc.exe 56 PID 2960 wrote to memory of 1616 2960 DllCommonsvc.exe 56 PID 2960 wrote to memory of 1980 2960 DllCommonsvc.exe 57 PID 2960 wrote to memory of 1980 2960 DllCommonsvc.exe 57 PID 2960 wrote to memory of 1980 2960 DllCommonsvc.exe 57 PID 2960 wrote to memory of 2396 2960 DllCommonsvc.exe 58 PID 2960 wrote to memory of 2396 2960 DllCommonsvc.exe 58 PID 2960 wrote to memory of 2396 2960 DllCommonsvc.exe 58 PID 2960 wrote to memory of 2388 2960 DllCommonsvc.exe 59 PID 2960 wrote to memory of 2388 2960 DllCommonsvc.exe 59 PID 2960 wrote to memory of 2388 2960 DllCommonsvc.exe 59 PID 2960 wrote to memory of 1976 2960 DllCommonsvc.exe 60 PID 2960 wrote to memory of 1976 2960 DllCommonsvc.exe 60 PID 2960 wrote to memory of 1976 2960 DllCommonsvc.exe 60 PID 2960 wrote to memory of 2532 2960 DllCommonsvc.exe 61 PID 2960 wrote to memory of 2532 2960 DllCommonsvc.exe 61 PID 2960 wrote to memory of 2532 2960 DllCommonsvc.exe 61 PID 2960 wrote to memory of 1972 2960 DllCommonsvc.exe 62 PID 2960 wrote to memory of 1972 2960 DllCommonsvc.exe 62 PID 2960 wrote to memory of 1972 2960 DllCommonsvc.exe 62 PID 2960 wrote to memory of 1956 2960 DllCommonsvc.exe 63 PID 2960 wrote to memory of 1956 2960 DllCommonsvc.exe 63 PID 2960 wrote to memory of 1956 2960 DllCommonsvc.exe 63 PID 2960 wrote to memory of 2176 2960 DllCommonsvc.exe 68 PID 2960 wrote to memory of 2176 2960 DllCommonsvc.exe 68 PID 2960 wrote to memory of 2176 2960 DllCommonsvc.exe 68 PID 2176 wrote to memory of 340 2176 cmd.exe 74 PID 2176 wrote to memory of 340 2176 cmd.exe 74 PID 2176 wrote to memory of 340 2176 cmd.exe 74 PID 2176 wrote to memory of 2976 2176 cmd.exe 76 PID 2176 wrote to memory of 2976 2176 cmd.exe 76 PID 2176 wrote to memory of 2976 2176 cmd.exe 76 PID 2976 wrote to memory of 2628 2976 Idle.exe 77 PID 2976 wrote to memory of 2628 2976 Idle.exe 77 PID 2976 wrote to memory of 2628 2976 Idle.exe 77 PID 2628 wrote to memory of 3020 2628 cmd.exe 79 PID 2628 wrote to memory of 3020 2628 cmd.exe 79 PID 2628 wrote to memory of 3020 2628 cmd.exe 79 PID 2628 wrote to memory of 2528 2628 cmd.exe 80 PID 2628 wrote to memory of 2528 2628 cmd.exe 80 PID 2628 wrote to memory of 2528 2628 cmd.exe 80 PID 2528 wrote to memory of 1516 2528 Idle.exe 81 PID 2528 wrote to memory of 1516 2528 Idle.exe 81 PID 2528 wrote to memory of 1516 2528 Idle.exe 81 PID 1516 wrote to memory of 1940 1516 cmd.exe 83 PID 1516 wrote to memory of 1940 1516 cmd.exe 83 PID 1516 wrote to memory of 1940 1516 cmd.exe 83 PID 1516 wrote to memory of 2884 1516 cmd.exe 84 PID 1516 wrote to memory of 2884 1516 cmd.exe 84 PID 1516 wrote to memory of 2884 1516 cmd.exe 84 PID 2884 wrote to memory of 2960 2884 Idle.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UbyABZCdRu.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:340
-
-
C:\Windows\Web\Idle.exe"C:\Windows\Web\Idle.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3020
-
-
C:\Windows\Web\Idle.exe"C:\Windows\Web\Idle.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1940
-
-
C:\Windows\Web\Idle.exe"C:\Windows\Web\Idle.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat"11⤵PID:2960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:264
-
-
C:\Windows\Web\Idle.exe"C:\Windows\Web\Idle.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"13⤵PID:2936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2712
-
-
C:\Windows\Web\Idle.exe"C:\Windows\Web\Idle.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"15⤵PID:2384
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2876
-
-
C:\Windows\Web\Idle.exe"C:\Windows\Web\Idle.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat"17⤵PID:1680
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2188
-
-
C:\Windows\Web\Idle.exe"C:\Windows\Web\Idle.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"19⤵PID:2160
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2524
-
-
C:\Windows\Web\Idle.exe"C:\Windows\Web\Idle.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat"21⤵PID:2404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2432
-
-
C:\Windows\Web\Idle.exe"C:\Windows\Web\Idle.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"23⤵PID:652
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1952
-
-
C:\Windows\Web\Idle.exe"C:\Windows\Web\Idle.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"25⤵PID:2728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1804
-
-
C:\Windows\Web\Idle.exe"C:\Windows\Web\Idle.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57405fabaab93319928ab7b6b30bb5fad
SHA1a8f4925d7a67952eeb71fe2a0f2c38d2ef91f05a
SHA256228401c705c52cc171ca9e49d6959cf654666caaf1238831f2786726b45621ec
SHA512c3a34c536794ba17ae82e47d6c3ed2351877f6c7cc95e124177bf3c39d6578730b6949394f6318865f86d55a3217dc02c376e667f35edc6d54a77a58e3696529
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58985eed6f85fc6bf2e8be68a85b2ce2d
SHA139d42eab1a90eba2f22a1a9da7cbe2029b57eaae
SHA2562e7980b934c92979648c7c2b53f91ef8c86bfdaf203191493c48975d54bf6407
SHA5124928070fe0137879590a65cd90dccab9a666daedd7e9e757f7684bf82b2ce2e0b2de6daad75759da14fd19a6de27220f2b9f7061950758a715af0bf03920fdf0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD557835819a2e815b906e7444d3dfc5f5b
SHA1984247cc91439038276c7d02a00c8e07ede468bd
SHA2568ddf060642a6b1f5d2b5dd7cb063b133cfa43f759d8eb10f24c895af17ebbe75
SHA51239593ed439cd843fc05dfc58ce13947e9b0e87c254e62f778608172f51e925aed2422db1f027f6c996d84f9df0d1358892c414c25f4130dca716b3108953b2d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51ef9a38aee475fc511864442d68c49ba
SHA1095d822757fc9afa4cf4f887c3d603f52053887a
SHA256018b25cd35a451267f6afd21464acf88ac9eb47a5a4ce014deec6d6bb61257d0
SHA512a5a91ace516b41479bfe22b3c2849c8d4ab51d138112e7555e0ae79eefb871a7b8ea2fb2b879b8b46a6d3532738ed67e00ffc989e60a87ab51fd226ea9f1f02a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ef50f587008b27f8cd927b023db0bb09
SHA1e593699c47f7367cf1d999f8d39f245cbc51e4ee
SHA256fec8c8dc33ae6757953eff141debf785660cfaa448e81a36a63262d60b168c39
SHA5126ae07934a55c5fd7be45def3b7b4d46f119bab118fd251023ad5ad829f60917291ada0a8a911650c655dcc9870cd30d1dec675e2d77109d2b7be0abfd0bc52e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56443f4b80fa35f0c906beb2f4a50adc1
SHA17696fa9af95291f9e7905755816426707d3c54e9
SHA256ef193af5945fe3588a8cec8d041637d655ff435e2d3ae4d77dfeb1254ff9adb3
SHA5122be6f9ae95db067703cb1bdd5739f3a05be3f21c4561d13fda86d2e5e5521a0ac53655c482bcf49c7dcb8a7d6a0d8f9c5205f95a7d733511db634db3b331b7e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD537493c62e17dff0af3202dcce2fd26d1
SHA1fd272e3f2bbd2901349b69b39f8a9714c0de7dc4
SHA256ba2e58bde02ce652645a424f8997582fec15c24773eb76b66202f7378747bbf9
SHA512c791ceed5df76447422448a42169f3205349a722adc85b2c3373ac5fa175c5a7a24bd7a2b7e19576ee6d5de067a11e7fd662467e7f9c44195f0a99080e5836ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a1db1559d737213845ea0fa5a98474e
SHA13e2b9f66e130d160f2ee9e25565580dd6b25b0c0
SHA256e05bd816e6d8e721c496652170233c152d9f4055c675b4bb5ea3473d9c6dfa43
SHA51208248cd8a64b19f8adec8306b8f19a3dd13c980d253d227a08200c73d2392d20aa60098b193ed13fd987bf15aea20a2464c14c0ec1d6eb88b7c5ac89a48b4774
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52e67100773296045c1bebca34101ab36
SHA13578a49c949e9fb8c46158d7419d7528b4ff3103
SHA2566c3c239e9e18e5839539ee617e41a4aa95de3673fafbbd86ec67d7173f5178e4
SHA512e9839169cf672b8cd1bb8f09ee9362b7c7ab23aa7c5d7f42876f94568a0fb3ad8fd33298097a6b54f0b77a55b70549eec35b3d8e48c253a8e217b85f84544e32
-
Filesize
188B
MD585b62ca95e5ddf88a8f371d0e7d36aab
SHA1034caf69cb76c1c1c5aaf27b5a0b4b75d6e652ac
SHA2563101b3a26dcf3c7e47bdd44d545bfe1c4a9c865f3985798cfe38fd25f48e6b35
SHA512005b6d996d8b0b357a0051399bf566362a63889f6422ea5b60a0d6d5f3f7e4382bf27c7a24831cdbe6df50d96e0e0acb0fe61d2404e8a58d132e4186bcc74710
-
Filesize
188B
MD5dde3a2e904e8ca2aba29e08df4350886
SHA1d7c0557e3ea23795f5be47df266f61b381a49766
SHA256e35ac54d4a76a274eff34308e78574a864dfd589747d4258734c077dcd58ba56
SHA5122ec9f9f3e19dcbbce36e940e3886812029e7c21790871960a4973e98099ba06f1b765b7ea876e30169d9055bb49f443fb536641000fb5e44f4c1d6833aa9c0ef
-
Filesize
188B
MD58f9a4d0b77acb9d371d4455ca67fd5c2
SHA1e24774a7caa68106295448efde58473efbc8a0bc
SHA256d2744c4021d2368ac6f234f76f67383e108f47c983f19172dab933108b4bc6bd
SHA5127c3efcc7ce44c4cfdbad99ad15a51a689be1a5a6d52fcaba66badbb7a225c08fb82b1409ceb17c46f85387b8b869df930106b88c38b933a7fef26612f5607d42
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
188B
MD50986da0cefcc7993237cb00b72216c4e
SHA1694cfcad26e9af3109d1ebf996ea3f5b83f5473f
SHA2560afb8be3e876dac019b3ac18fd4b5cb28e408880a485a33bb7bd047a8ca79dd9
SHA51291a21608114b91758c55816937889cc8da77bfafa4dd8e2e80272e2d6b779e9ee9086b193380d3090b28c79f566484db17bd8acffe61abea9df166522a7320e6
-
Filesize
188B
MD58a66c801cbf41107b9a903674f12c189
SHA1eb10bf7f6203f9c9da19e3866ba3a23a6381433b
SHA25613f3f57bbf40e85747b37b1177a118698aa4d33b5f83099e00b5a33cd4aeb9c3
SHA512094951820335c43705e6ab9dc6908ecb847697a37c44c9c5880297b91847d0e804931b85cd630d2d4cdfd856b877a245a5d283dbfc6af40edf38939ec8cc45ef
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
188B
MD5f31ada6f42a106092814cee58d61bacb
SHA1d6934b0ee5964588239afcc735d0b6d29ee37841
SHA256f65f3987375c16c98143286794721e8884a67a2091ff6861cda33474be9c3468
SHA5122a71cf0b641a784f47d3e7edf8844b7df0511138e6d134af42e7e411e9a005473be65ea3de5187a51b734330fa456ca6cf5ffdf890eef993f3e9605c53806931
-
Filesize
188B
MD5143ffab1a2ad3456560ee6b84ca23c11
SHA1d18d9cc086493eec5d3284cef34d02c326713e7f
SHA2562b0890e293b5d46a030e10030e2d1117d83aae13c8b3cba71e378506d5b75639
SHA5125e787ca7192eec0adf6f125c9ec0b8fe8df786ccbda2b9a0021326a4cfaccda8ae55876cf7e6f17ae3c176062eb4d75344d5825ceab4c5740666c378fa22a885
-
Filesize
188B
MD52252f47fcc17c7a205f6b95a5ca0f9f8
SHA1672fc71c92c99c18a9013f711f34ef89fd4b2048
SHA25644cd3be882d75aa4d0963a50498c8f1eb93b271db6fcd937bc03f10290d12731
SHA5122527e0b9f5a9921ce4af139faaf63e5a06d66080edd1ccb72f019e932116529026c330c322a2f62acaeef06a5fcb0d0c6493ff96ad2de0c1158482db4833e3ad
-
Filesize
188B
MD509b4e6290ea39feae3a590489aa51249
SHA1c5716ff83273ac31b3982ab74f50aded934f41b4
SHA256ea3eafd236d75bf98045355c0bb1902a2cb9bc6078972ede4cedf3ff88177713
SHA512de733a96b7ad0b68c36c76f4dbd9f9e46f5e68732e6bc092fe9d9893dae81b08e6ed89ec7a1531ba89c6bc0c091fe050510007294ac79038ddb8e7d221919d65
-
Filesize
188B
MD590503dfd66d411eaf32046eb047d160a
SHA14c15e3c6d096d11f06b9d68ebc9d6676b4d36367
SHA256ba096035e5c0926d63cfd3d10fe6ae4253746faa50b9d3ce2c3483cfd0236775
SHA512184858240bc141f1b4014029e5fe2465dcace3a3add3ac46e671e274488eb98cb6c3fc3b149b09a52c3075788c29b4166e43bf662f5ab7be96b96c30a27590c7
-
Filesize
188B
MD545e1dd64615274e6ff5ce841c69a8a1f
SHA1466f5189a5b0d5e0e990bb3d498d2e8dc693ad7b
SHA256c437e67dbdb13c7970265203adf4ee0ccc926c61f95818b34dc18289db852c40
SHA512948aa6f9c1a6a3c042fbb151e9f6a2132f185874a12cbaaaedfc5b0b05b7c593925686bb6b34d5b311c2148be562c957b0cdcc8ccd75a7da31c78e87f2a8fa69
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8JWSH9HXV1BPA2XQCNM3.temp
Filesize7KB
MD5f5fdd9ce289abbf3aea69e40e16d4387
SHA18a3134c72834bc1e8c8a41471b8e10c456c3718f
SHA25682f3ad538bf4a9f373a04e76e3ce249d4f21d3973073cd116f535575c846bfc5
SHA512afcdd7c7005aeb450e10682b8b5cce4aed82834d11b9dbd3c7b59add7ec61cbae17f9f707d44f1f2e9195616746f0c61d2b833cf852297f748c385a49bd564fe
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394