Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 18:52
Behavioral task
behavioral1
Sample
JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe
-
Size
1.3MB
-
MD5
f3c9c8fcdc97ee343cd1c164b4b4c8ff
-
SHA1
4ee049708648e7307f0fead0d284f323048b8201
-
SHA256
d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169
-
SHA512
ca3959e832d5416bdd891fbb85a5ea0d3103cea8399e14fc16ba3b709b72f5d90d91fbe7d1176b0bc1f8d77675513ade69fe15cb2b146957378755f7e0cfb6fc
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2856 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2856 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2856 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2856 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2856 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2856 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2856 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2856 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2856 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2856 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2856 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2856 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000016334-12.dat dcrat behavioral1/memory/2044-13-0x0000000000CE0000-0x0000000000DF0000-memory.dmp dcrat behavioral1/memory/1292-57-0x00000000003F0000-0x0000000000500000-memory.dmp dcrat behavioral1/memory/1628-116-0x0000000000FE0000-0x00000000010F0000-memory.dmp dcrat behavioral1/memory/2300-177-0x00000000002F0000-0x0000000000400000-memory.dmp dcrat behavioral1/memory/2800-238-0x0000000000F10000-0x0000000001020000-memory.dmp dcrat behavioral1/memory/1592-298-0x00000000003C0000-0x00000000004D0000-memory.dmp dcrat behavioral1/memory/764-359-0x00000000000E0000-0x00000000001F0000-memory.dmp dcrat behavioral1/memory/1964-419-0x0000000000250000-0x0000000000360000-memory.dmp dcrat behavioral1/memory/1696-480-0x0000000000A30000-0x0000000000B40000-memory.dmp dcrat behavioral1/memory/2548-540-0x0000000000B30000-0x0000000000C40000-memory.dmp dcrat behavioral1/memory/3012-600-0x00000000010A0000-0x00000000011B0000-memory.dmp dcrat behavioral1/memory/1104-660-0x0000000000230000-0x0000000000340000-memory.dmp dcrat behavioral1/memory/2440-721-0x0000000001310000-0x0000000001420000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2428 powershell.exe 1848 powershell.exe 824 powershell.exe 572 powershell.exe 1960 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2044 DllCommonsvc.exe 1292 dllhost.exe 1628 dllhost.exe 2300 dllhost.exe 2800 dllhost.exe 1592 dllhost.exe 764 dllhost.exe 1964 dllhost.exe 1696 dllhost.exe 2548 dllhost.exe 3012 dllhost.exe 1104 dllhost.exe 2440 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2400 cmd.exe 2400 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 9 raw.githubusercontent.com 20 raw.githubusercontent.com 28 raw.githubusercontent.com 38 raw.githubusercontent.com 42 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 24 raw.githubusercontent.com 31 raw.githubusercontent.com 35 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\dwm.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Google\CrashReports\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\CrashReports\5940a34987c991 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2636 schtasks.exe 2728 schtasks.exe 2512 schtasks.exe 2560 schtasks.exe 2540 schtasks.exe 2592 schtasks.exe 2616 schtasks.exe 2688 schtasks.exe 2604 schtasks.exe 2812 schtasks.exe 2660 schtasks.exe 2536 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2044 DllCommonsvc.exe 824 powershell.exe 572 powershell.exe 2428 powershell.exe 1960 powershell.exe 1848 powershell.exe 1292 dllhost.exe 1628 dllhost.exe 2300 dllhost.exe 2800 dllhost.exe 1592 dllhost.exe 764 dllhost.exe 1964 dllhost.exe 1696 dllhost.exe 2548 dllhost.exe 3012 dllhost.exe 1104 dllhost.exe 2440 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2044 DllCommonsvc.exe Token: SeDebugPrivilege 824 powershell.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeDebugPrivilege 1292 dllhost.exe Token: SeDebugPrivilege 1628 dllhost.exe Token: SeDebugPrivilege 2300 dllhost.exe Token: SeDebugPrivilege 2800 dllhost.exe Token: SeDebugPrivilege 1592 dllhost.exe Token: SeDebugPrivilege 764 dllhost.exe Token: SeDebugPrivilege 1964 dllhost.exe Token: SeDebugPrivilege 1696 dllhost.exe Token: SeDebugPrivilege 2548 dllhost.exe Token: SeDebugPrivilege 3012 dllhost.exe Token: SeDebugPrivilege 1104 dllhost.exe Token: SeDebugPrivilege 2440 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 796 wrote to memory of 2032 796 JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe 28 PID 796 wrote to memory of 2032 796 JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe 28 PID 796 wrote to memory of 2032 796 JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe 28 PID 796 wrote to memory of 2032 796 JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe 28 PID 2032 wrote to memory of 2400 2032 WScript.exe 29 PID 2032 wrote to memory of 2400 2032 WScript.exe 29 PID 2032 wrote to memory of 2400 2032 WScript.exe 29 PID 2032 wrote to memory of 2400 2032 WScript.exe 29 PID 2400 wrote to memory of 2044 2400 cmd.exe 31 PID 2400 wrote to memory of 2044 2400 cmd.exe 31 PID 2400 wrote to memory of 2044 2400 cmd.exe 31 PID 2400 wrote to memory of 2044 2400 cmd.exe 31 PID 2044 wrote to memory of 2428 2044 DllCommonsvc.exe 45 PID 2044 wrote to memory of 2428 2044 DllCommonsvc.exe 45 PID 2044 wrote to memory of 2428 2044 DllCommonsvc.exe 45 PID 2044 wrote to memory of 1848 2044 DllCommonsvc.exe 46 PID 2044 wrote to memory of 1848 2044 DllCommonsvc.exe 46 PID 2044 wrote to memory of 1848 2044 DllCommonsvc.exe 46 PID 2044 wrote to memory of 824 2044 DllCommonsvc.exe 47 PID 2044 wrote to memory of 824 2044 DllCommonsvc.exe 47 PID 2044 wrote to memory of 824 2044 DllCommonsvc.exe 47 PID 2044 wrote to memory of 572 2044 DllCommonsvc.exe 48 PID 2044 wrote to memory of 572 2044 DllCommonsvc.exe 48 PID 2044 wrote to memory of 572 2044 DllCommonsvc.exe 48 PID 2044 wrote to memory of 1960 2044 DllCommonsvc.exe 49 PID 2044 wrote to memory of 1960 2044 DllCommonsvc.exe 49 PID 2044 wrote to memory of 1960 2044 DllCommonsvc.exe 49 PID 2044 wrote to memory of 2544 2044 DllCommonsvc.exe 53 PID 2044 wrote to memory of 2544 2044 DllCommonsvc.exe 53 PID 2044 wrote to memory of 2544 2044 DllCommonsvc.exe 53 PID 2544 wrote to memory of 1032 2544 cmd.exe 57 PID 2544 wrote to memory of 1032 2544 cmd.exe 57 PID 2544 wrote to memory of 1032 2544 cmd.exe 57 PID 2544 wrote to memory of 1292 2544 cmd.exe 58 PID 2544 wrote to memory of 1292 2544 cmd.exe 58 PID 2544 wrote to memory of 1292 2544 cmd.exe 58 PID 1292 wrote to memory of 2140 1292 dllhost.exe 61 PID 1292 wrote to memory of 2140 1292 dllhost.exe 61 PID 1292 wrote to memory of 2140 1292 dllhost.exe 61 PID 1628 wrote to memory of 2168 1628 dllhost.exe 65 PID 1628 wrote to memory of 2168 1628 dllhost.exe 65 PID 1628 wrote to memory of 2168 1628 dllhost.exe 65 PID 2168 wrote to memory of 3036 2168 cmd.exe 67 PID 2168 wrote to memory of 3036 2168 cmd.exe 67 PID 2168 wrote to memory of 3036 2168 cmd.exe 67 PID 2168 wrote to memory of 2300 2168 cmd.exe 68 PID 2168 wrote to memory of 2300 2168 cmd.exe 68 PID 2168 wrote to memory of 2300 2168 cmd.exe 68 PID 2300 wrote to memory of 2980 2300 dllhost.exe 69 PID 2300 wrote to memory of 2980 2300 dllhost.exe 69 PID 2300 wrote to memory of 2980 2300 dllhost.exe 69 PID 2980 wrote to memory of 1652 2980 cmd.exe 71 PID 2980 wrote to memory of 1652 2980 cmd.exe 71 PID 2980 wrote to memory of 1652 2980 cmd.exe 71 PID 2980 wrote to memory of 2800 2980 cmd.exe 72 PID 2980 wrote to memory of 2800 2980 cmd.exe 72 PID 2980 wrote to memory of 2800 2980 cmd.exe 72 PID 2800 wrote to memory of 1640 2800 dllhost.exe 73 PID 2800 wrote to memory of 1640 2800 dllhost.exe 73 PID 2800 wrote to memory of 1640 2800 dllhost.exe 73 PID 1640 wrote to memory of 872 1640 cmd.exe 75 PID 1640 wrote to memory of 872 1640 cmd.exe 75 PID 1640 wrote to memory of 872 1640 cmd.exe 75 PID 1640 wrote to memory of 1592 1640 cmd.exe 76 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XfWEItxuzP.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1032
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"7⤵PID:2140
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2004
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:3036
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1652
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:872
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"15⤵PID:1012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1656
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"17⤵PID:2956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1720
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"19⤵PID:2460
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2216
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"21⤵PID:2868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2508
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"23⤵PID:2168
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2364
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"25⤵PID:1736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2808
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"27⤵PID:2344
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:444
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e34bf06c357272b3f282b21389c5d357
SHA170b38b9c81983df7e9f78d250571b262173c9e46
SHA2563bcfbead674605049e91faeef3ea9e3b8e769516056ce12e79c96a3c8e2c5359
SHA5124f7402098a723f4d4ec6c429d5e0644a0d70fa69835da0b833542b49b5122593b147b68b769ee2630c66f14fa89149610c97da8427bdb1534e65dc2712941e47
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58c2641c7f1f55b0851b94d59f3ec44d2
SHA1bfb6bcfa354cab9508cbe34bc3e97bd0c0cbb9e6
SHA256d52a35674fe78ef9aa49dc0ace3c0f21932cf65ebb1a9b1231be61ea968dbe15
SHA512f5aa18fa862cf1d415e0f2f5c18b1df011a4daca0279a4648b92c2eb5e0696863b5ea1d58c52cb2b969035a96073c5e3a93dd20db4b1ffe4d238753891142a82
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ffdb44cc5c69eb2d303cd7e1e8e815f3
SHA186a3d05d8344a6838b7fcf593b30fc7b27ddb64e
SHA256dc7947926b9e8c270142b8938c7baff1a7133a34fe8b991788d4fd43272866f9
SHA5120ca0beb9337eb4c1d22f414a3717251877c0be159c95fc8ad4823678aa98c62cc253d79484140aecd1d4a72bda43ba1797b39486feeb98dbd468328faf39ad39
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0fdd7cbd2a0fa99f63f374b149b01d8
SHA1c3518795d4cc010927691ce6f8f8e4a7d2a6d9a6
SHA25669986be0bcae5bd661a29a7e0af4381bd48a1afac7464e376469f684ab7e1159
SHA512c44105cdb6c3f2973e75f4065c217adaebda8d7e842130343b8db8847561695e473f4fce6cc12b1e73820abbe0cec4bf88e38b68109252a3bba5c5c466676d68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a20e7bf785ab1704df46d245dda618b6
SHA197d24c1146b138236df4a5d7f3158a8534d74c59
SHA256517b54a02682ef2d3f74b05f3a6d0043c22725817adeac545a712e9eecda342f
SHA512a76dd65fae11852d96154e3276354415b2e1c18f1f7afe6d3987cb2b526a31ae00b5aa1c594cd90af7e04c560a80c4df578b47fbd1444fac9ef01bd972b2362b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567b59173df2213b7f9b93a58a81a853a
SHA199a9af578ac792991a7c632dea07c58072db5835
SHA2561c1998e6720d92f1c6c140448eabb3b39c2c058fa69859a0ed4fb50cfb4368bd
SHA512a744d213e6d3d4dc3ff235ff974d342d7d97618b802d32d4a642a2e7b67df9cdf6272e9bc2f0f467d33f91a0c733dfdd5dbbc30d97cd74ef13b989e1105cea9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a245f85e1a9af5f2c4c3178e2a0b5552
SHA16b82adce744353d6096a146dc19710bde9e41ef9
SHA256470833d643468b35dfb5245ef7f42ff179a9daa4a4b146e6572408ceea15d5ca
SHA51214a0e4ee9f8bc03f37c7fb0961d8287a6db80d33be353576627683c16f6517f9e07d758d2441fbc1d2d94eccaad547ef950d4758d253518d02354141d10a1040
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD582bed4fde9e447f180350cdd86da0c68
SHA1aaf95a6b6ab7209d85f3a543b0d63dc2b87eca63
SHA2565942a021a02f7ee8276682027fdf94304b47a51ae2e301fbc3ff0f406817ce58
SHA512a80cf461a8b48131d96843b021040cf0a1f07363176c841f660a295a52e4d77d990cb02992c2ba005fa2c2118d498de5225ac253d1ce2d3233106483c08ea38e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51471558b5a25f2e7edcd8a82403ab3cd
SHA1ec006bc3de7a96619a2d0c0e4e8ba4dfab738b75
SHA256ea30fe42ac7df7a8071e05dd1c3ac7b7b610fbb715fcc984c3427fae84a5ed77
SHA5123823493560a98045af979648674f933fcd91e46ae11f0e13bb7cfa83905e907cd8f371115d408f8a466d00515759845fc1bdf70199e37e06d9334a75ec5ff1f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5541a94f3a70a62d0eac49fd67260d3cf
SHA193d1be511710dea084533f3212d49c1a112ea2cb
SHA256204d55ac26d47f128b47763d73aeee894a94e6ea7065504377d4af684cd1f72c
SHA5124c583434079064dd6d123a624f958e41ffc883f66a119553a9bf7caa28e0c6f04e40c937ed6842d6cfa9f2984960c744b6aa622326b046e46120c7ae42815202
-
Filesize
225B
MD51c152c53cb71a3572e4cd4b1285bdaa2
SHA16a23e94d065480df5a1094218e9ac76fa752c068
SHA256af9958dc26ff5b8af86a5190ff9e913190184edfd3b1f9b4a020a5f6b0c0e712
SHA512b15ab97eda0b2274452db84968808de927afbbadd76915ccb2d1097e73880a76f1866bd34643f412c38433de41babfc73217bb282f74be1387bc62716df2f5da
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD54670143960c4042239aebb3ed2b30840
SHA1676343886fbae68daf4afb63ad05be779a793db6
SHA2560b2fffd5a58afce869e2219717dd1efa7cab9646d6fc8791592ac33a17b4575c
SHA5127e265fc450d311bc313722675c3a5211b4fa16425fb19947951256d83463f4b3ad7ac33562f5a4f1efabb338cb68be4c4f951aadc6e96a92eeb6cc0af2a8c2fc
-
Filesize
225B
MD5f34f24588210de7f04d2e67dd3f5e6cc
SHA11fe8c2f99d13c2236ef2833c8252b2be0c5687ec
SHA256ca75d0f4b15d17a34967fff9861f5bb8344a9c58f2068dc826ef44b2959e9113
SHA512324857cda7f39e23fb88c5bfaad4c596544265f05fc273fb429ed94336b9e774c208eb10b8afc773f86b68face5e625c39ea8f4d7f869f15eaefad969978f2ab
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD5ebff3c7cc1dd60089b886e5ea1ce3d3c
SHA1c5fd2cd1a3caacede728f92e3043a08388af75e1
SHA256d9a86d75d7c24879760b032c53da30a70891d508e2df5cc7643c07830abbafc3
SHA5128742d6be0b518a024ea1453f610c8956f2bff02e11199890c97e959aa11a106791465b884c286e5923b26b8ad57153761bbc4b1f2bed8ba8251a31144ca671c4
-
Filesize
225B
MD51a0ad7726d6c95e931dbbfe08c2ba080
SHA1145577956c529e45f0d02c4118c921ed89772bd8
SHA25694c6cfda08c1e510ae4c00c6144c3b7f7d1a9ef0357b11544f5b8784469f3650
SHA512f561124331401cbc1f650ba0cd085af172099582a146ba79c7a9299bdb289d6d8b81cd57814f0cbac6b1bdc0a04ae5b1e128f3728535f918f31d9d2cbc3687c0
-
Filesize
225B
MD541a0395d219ce451f4acaaab5927bba7
SHA1039977bbbdf02dd328e9a4908d70299693daf114
SHA256d969724166a7ee3c0db50d093d4a1e68db49088aaf5cb3de238eb096770a7d25
SHA512ce166fb6a10a33a6d2aba43a5ae769bd1812f671e76c02eb2e8a8549daee70deb6dac37cca399ad3fd9fb1bee02fca6b3894565b88bee56d8960ae1ca3c5ca97
-
Filesize
225B
MD532891d3fa30443dcd67f4ebfba8d1de9
SHA177cccf05f722737f021ff55819ac7d09104dc0e0
SHA256ca6ef58209a76b3247bd0c172ed43021d20861de18755e760f29d68c14e61bd2
SHA5128aeb71e17c230e70085ee542cde2fc01afa0e2d7e93bab36ba2ac1e46b95a72b18c2f69c0ea458b0d35ffa22348f51366faadc8e979da99360341cfaf9845332
-
Filesize
225B
MD52f222b14373e37acd7e96a76e170ec5d
SHA1292c2343ea1dbd2f34824f4aa2b3db97fb17362d
SHA2561f94db8b76a909bdcd48c4c66247a7fb6677369733eee9b728094405a00bbd77
SHA512275ad0a5404b07ec79ab239cc3d45c72032412a17d30fcef528f7260d9dad5d541996c3007d278547d0359e9470aae7df7f9c4a1a0c0b78ed1f5104e9820056a
-
Filesize
225B
MD5f9951ecaece3ca8fce1d10b89ccd03ae
SHA173b8decbc6ecbc93c3a04c4b2df6a6d7da3d6656
SHA2561af14a7e95d52b106cc2b36bc458f32428a613249c371af705ce4f2b321b0fcb
SHA512e4e2d4462ff45a5bbe466ae8239cce9ca3a63084cbc9983e152f5e99101509b85642f4a507603aab098fa92bc107f3422fc7f1c5411ff1a29ec4a44c73c26447
-
Filesize
225B
MD51dbe82acd06c5dfec97ebf8a345db024
SHA1f3eeb392affc5d6911432123f409ed59f507bf20
SHA256ea3edecc9503178c74aacba1279c1c6f5a9cc30ffe41e0095d686b6fdbeb31dd
SHA512b5c4cffb6a5a034a86fd6297ba9ef1623f1b5b423872eafb863a0cb779b8122cccf4571c325c25bda4d489b86434ce9f40ba9daee44af98ed37a8af5cb2e18b1
-
Filesize
225B
MD5a64db4a1b0bb99fa1eb9ead51d8e575b
SHA19bcbc622b02a0a95963806003895fcda659bfdda
SHA256b214fff58ab6cb4cb50d5d7404ef6db4cff7207df73779639ea63e20d5818682
SHA51213d6001618cbc0f965bc007c3a56bd32618403c306d340b18cdcf18b6a8ed5c957ac4bef99d99099b3f325e290ecdd23add216b0d4b968b60959532ee92faf51
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V90WW3BQFYXQKMWYBYQO.temp
Filesize7KB
MD5389d97ff412fa01d84a708c3476c37fd
SHA17ce0954c9f25ba50016b9c8cf8973752f243c2dd
SHA256eff603ce8fddf2a09854fa1315f666df5f63cdc29abc9fb5efa628b814de3a95
SHA5128e0fd803c27cf71face47689c4439b607f9e0309c0be550b2f1fee15e364a2c6655511228618a01260eb6e661f95936ef1e9a19fadcddbf5c73b27ac9cc589ce
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478