Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 18:50
Behavioral task
behavioral1
Sample
JaffaCakes118_7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47.exe
-
Size
1.3MB
-
MD5
e4191f18e6468181c730102499e27fc0
-
SHA1
88f4f8e3739f4788628c443c6b0ffe09861c3a7c
-
SHA256
7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47
-
SHA512
552219f0fcf03b6f8a63d73cb7430e3a3bbef5dc52cf58a635d75f0895a64529aabbc61bdd5fdf4ccb8b1c270d811eaf7b707bdab0e5df00dceecf140378c028
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2636 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016cd7-12.dat dcrat behavioral1/memory/3068-13-0x0000000000E10000-0x0000000000F20000-memory.dmp dcrat behavioral1/memory/1316-59-0x00000000000A0000-0x00000000001B0000-memory.dmp dcrat behavioral1/memory/2784-118-0x0000000001310000-0x0000000001420000-memory.dmp dcrat behavioral1/memory/2252-179-0x0000000000270000-0x0000000000380000-memory.dmp dcrat behavioral1/memory/1284-239-0x0000000000250000-0x0000000000360000-memory.dmp dcrat behavioral1/memory/852-299-0x0000000000E60000-0x0000000000F70000-memory.dmp dcrat behavioral1/memory/2468-359-0x0000000000330000-0x0000000000440000-memory.dmp dcrat behavioral1/memory/2420-420-0x0000000000CB0000-0x0000000000DC0000-memory.dmp dcrat behavioral1/memory/2992-480-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat behavioral1/memory/792-541-0x0000000001340000-0x0000000001450000-memory.dmp dcrat behavioral1/memory/2820-719-0x0000000000340000-0x0000000000450000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2972 powershell.exe 2724 powershell.exe 2704 powershell.exe 2884 powershell.exe 2984 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 3068 DllCommonsvc.exe 1316 dllhost.exe 2784 dllhost.exe 2252 dllhost.exe 1284 dllhost.exe 852 dllhost.exe 2468 dllhost.exe 2420 dllhost.exe 2992 dllhost.exe 792 dllhost.exe 2148 dllhost.exe 2408 dllhost.exe 2820 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2760 cmd.exe 2760 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 40 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 37 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\conhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1520 schtasks.exe 2564 schtasks.exe 1860 schtasks.exe 1324 schtasks.exe 1768 schtasks.exe 2608 schtasks.exe 2676 schtasks.exe 2000 schtasks.exe 2968 schtasks.exe 2340 schtasks.exe 2444 schtasks.exe 3032 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3068 DllCommonsvc.exe 2724 powershell.exe 2884 powershell.exe 2984 powershell.exe 2972 powershell.exe 2704 powershell.exe 1316 dllhost.exe 2784 dllhost.exe 2252 dllhost.exe 1284 dllhost.exe 852 dllhost.exe 2468 dllhost.exe 2420 dllhost.exe 2992 dllhost.exe 792 dllhost.exe 2148 dllhost.exe 2408 dllhost.exe 2820 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 3068 DllCommonsvc.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 1316 dllhost.exe Token: SeDebugPrivilege 2784 dllhost.exe Token: SeDebugPrivilege 2252 dllhost.exe Token: SeDebugPrivilege 1284 dllhost.exe Token: SeDebugPrivilege 852 dllhost.exe Token: SeDebugPrivilege 2468 dllhost.exe Token: SeDebugPrivilege 2420 dllhost.exe Token: SeDebugPrivilege 2992 dllhost.exe Token: SeDebugPrivilege 792 dllhost.exe Token: SeDebugPrivilege 2148 dllhost.exe Token: SeDebugPrivilege 2408 dllhost.exe Token: SeDebugPrivilege 2820 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 308 wrote to memory of 2764 308 JaffaCakes118_7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47.exe 30 PID 308 wrote to memory of 2764 308 JaffaCakes118_7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47.exe 30 PID 308 wrote to memory of 2764 308 JaffaCakes118_7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47.exe 30 PID 308 wrote to memory of 2764 308 JaffaCakes118_7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47.exe 30 PID 2764 wrote to memory of 2760 2764 WScript.exe 31 PID 2764 wrote to memory of 2760 2764 WScript.exe 31 PID 2764 wrote to memory of 2760 2764 WScript.exe 31 PID 2764 wrote to memory of 2760 2764 WScript.exe 31 PID 2760 wrote to memory of 3068 2760 cmd.exe 33 PID 2760 wrote to memory of 3068 2760 cmd.exe 33 PID 2760 wrote to memory of 3068 2760 cmd.exe 33 PID 2760 wrote to memory of 3068 2760 cmd.exe 33 PID 3068 wrote to memory of 2704 3068 DllCommonsvc.exe 47 PID 3068 wrote to memory of 2704 3068 DllCommonsvc.exe 47 PID 3068 wrote to memory of 2704 3068 DllCommonsvc.exe 47 PID 3068 wrote to memory of 2724 3068 DllCommonsvc.exe 48 PID 3068 wrote to memory of 2724 3068 DllCommonsvc.exe 48 PID 3068 wrote to memory of 2724 3068 DllCommonsvc.exe 48 PID 3068 wrote to memory of 2884 3068 DllCommonsvc.exe 49 PID 3068 wrote to memory of 2884 3068 DllCommonsvc.exe 49 PID 3068 wrote to memory of 2884 3068 DllCommonsvc.exe 49 PID 3068 wrote to memory of 2984 3068 DllCommonsvc.exe 50 PID 3068 wrote to memory of 2984 3068 DllCommonsvc.exe 50 PID 3068 wrote to memory of 2984 3068 DllCommonsvc.exe 50 PID 3068 wrote to memory of 2972 3068 DllCommonsvc.exe 51 PID 3068 wrote to memory of 2972 3068 DllCommonsvc.exe 51 PID 3068 wrote to memory of 2972 3068 DllCommonsvc.exe 51 PID 3068 wrote to memory of 3000 3068 DllCommonsvc.exe 57 PID 3068 wrote to memory of 3000 3068 DllCommonsvc.exe 57 PID 3068 wrote to memory of 3000 3068 DllCommonsvc.exe 57 PID 3000 wrote to memory of 2164 3000 cmd.exe 59 PID 3000 wrote to memory of 2164 3000 cmd.exe 59 PID 3000 wrote to memory of 2164 3000 cmd.exe 59 PID 3000 wrote to memory of 1316 3000 cmd.exe 60 PID 3000 wrote to memory of 1316 3000 cmd.exe 60 PID 3000 wrote to memory of 1316 3000 cmd.exe 60 PID 1316 wrote to memory of 884 1316 dllhost.exe 61 PID 1316 wrote to memory of 884 1316 dllhost.exe 61 PID 1316 wrote to memory of 884 1316 dllhost.exe 61 PID 884 wrote to memory of 1728 884 cmd.exe 63 PID 884 wrote to memory of 1728 884 cmd.exe 63 PID 884 wrote to memory of 1728 884 cmd.exe 63 PID 884 wrote to memory of 2784 884 cmd.exe 65 PID 884 wrote to memory of 2784 884 cmd.exe 65 PID 884 wrote to memory of 2784 884 cmd.exe 65 PID 2784 wrote to memory of 2876 2784 dllhost.exe 66 PID 2784 wrote to memory of 2876 2784 dllhost.exe 66 PID 2784 wrote to memory of 2876 2784 dllhost.exe 66 PID 2876 wrote to memory of 3044 2876 cmd.exe 68 PID 2876 wrote to memory of 3044 2876 cmd.exe 68 PID 2876 wrote to memory of 3044 2876 cmd.exe 68 PID 2876 wrote to memory of 2252 2876 cmd.exe 69 PID 2876 wrote to memory of 2252 2876 cmd.exe 69 PID 2876 wrote to memory of 2252 2876 cmd.exe 69 PID 2252 wrote to memory of 1552 2252 dllhost.exe 70 PID 2252 wrote to memory of 1552 2252 dllhost.exe 70 PID 2252 wrote to memory of 1552 2252 dllhost.exe 70 PID 1552 wrote to memory of 3004 1552 cmd.exe 72 PID 1552 wrote to memory of 3004 1552 cmd.exe 72 PID 1552 wrote to memory of 3004 1552 cmd.exe 72 PID 1552 wrote to memory of 1284 1552 cmd.exe 73 PID 1552 wrote to memory of 1284 1552 cmd.exe 73 PID 1552 wrote to memory of 1284 1552 cmd.exe 73 PID 1284 wrote to memory of 2080 1284 dllhost.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2164
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1728
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:3044
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3004
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"13⤵PID:2080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"15⤵PID:572
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2120
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"17⤵PID:2088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1280
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"19⤵PID:1984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1808
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"21⤵PID:1844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:376
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"23⤵PID:2608
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"25⤵PID:1992
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1724
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"27⤵PID:2592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de7d15a3117bb3d61db86e164b8eec5f
SHA1f4d907a0325245b6f758cb84ce34f6baf106e561
SHA256d858c1b0ad3f54d3422c7d18f83a3ad2a18a5a39139d83c1e76adce32df82eea
SHA51215e8fc18f481dea230e9ca19e4b4a62abf5aafa62c42bb732d935794fc651f8ce53d1f4ce57952436e7513eaef75f6bd7bc1381f8df505175e2ae6cb1254776e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f9147696819e6e20a0af64cea4ed9a12
SHA16d89d3dcb37487d48538c5d89de9fae0ce37a9f1
SHA256095fece434dbf7eb2e17ed438565f7736f5bfc9a39631accd4eacc1cdb5b23ef
SHA512a9bf667798e00525c4a6c76b668f60d99eb16611062de432474d3ceba2520f4643cb5562860bcb8db5a46edb325073d326c5b8bf8aeec87a8d80422ed9f6d69e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e7fed24b85e71b24dbd866c7dc8a0418
SHA13dc255e42b1b618842d4cf2303bcdb5e80d2452b
SHA2564d49531c2261dd7984131dd43c70131a86240f051dee2b28750996d38be7c416
SHA512f9e0fd6078eeea422f9aa3dc4dcbd560585fa14759c1adc7411da18391e7d7b1d2668df55a08245cde3d723ae529cd589e3f80c7e209b09009a5584ffc7a0cd4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57539379e9ef7fb06f71d313d6b1ee28d
SHA10120ee11f7281822115921e958ae006ec4d305f8
SHA256595859f93677bd10a6db18af3c1014416b939f2a2de563025c2bbd53943d947f
SHA51224535fd34ce6bd40ecf9de0b879a82da445da6b4cfb0745a7f8686da16ff60a0156ceff2156d4e7d144b62a2f1efb7ce8e2f6e6dd34aa0897c0c03ef245cd348
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5056e92854a2940bc3363bdd082817e74
SHA148297b71e72c6feb6719e1638ea1bf0fbab21581
SHA256f47d76b51d1f175ad1e636caab40e8d7d2070df9654a125f304946d6841b1217
SHA512028e4082811f6f2bd48a86664cefdfd25d9f727d859f5ef836d77f87a222a30392ff2659fd029b0a1393037a467a5f6da61aa7071719eb31392991f6076a6f33
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD592dff1267a993d686246e76890b207d4
SHA16867cc7c4a854d53682279028d3057e2deb3482e
SHA256682501c6c2b075d6e630753f6fee04174f55569e3967dc38a2e38f3c77b33b27
SHA5126a9f0f6ef944e18902ff66ddb7a2db73514bae909984e5b7fd9c8bb11e184dbd05f646914449d82a41b2cad6c9dfd03d8f7e44f9b75cff0f8f72509e2061c18a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5be5e3a0d5496c84db6ef4c881b875d2b
SHA19c87e9503748591d6132949e93775a8bcfa8ba75
SHA256dc8bf0f5342d844d3741c7fb7fa20aea02f24ca7b6b04be33eadb48b42ca718f
SHA51296edd821dd144f9e2fd4a80b32301983ac646177a6601e606e8d4029949a2a36ded775a0aa923c832655ca0b135ac3b996dd538c39fbaf18f6a3dc596dfdca83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54bc664ac3745322a0e9d5647b6082d08
SHA178a2d147000007aace3252dfd6b6572eb474779d
SHA25686e9986a3a062976bae03e7d6fa30d471c210d998dec2ba785a10baba1963209
SHA5122883a8626c90cac93cc6bbf058aa9f28ed42a5100098ad9039925df68fc64ef26d0ff5b9083a933defebfb888729556752c2fb3a016235cacf33b2a83df87dc9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c93877d031f89131c8e56de471d22bc9
SHA1725ca9ed7a0219ba64df3b7db6635d22d5a4a7e8
SHA2563ee5aea7fc51c30a1720fa71b94baa2ca1eb987f08ab4dd8d1cd65ce3033e959
SHA512b383b32fbf7fcb14c1f17903b6a3f601de121b3e31f9f56780d3360e09a50564aa98bc5014b8f1ba9e55a25d9ee293ac52d9ff93b0c6517f9a410c0e2ccba0bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f9ef336f40cb7063f012701a17dac78
SHA11c2a19e1ae3bedc7e7a463c388a8fb791a4af44b
SHA256dbbbaca5fd0b53523e3df6ba9940d34530c9580e429b891a2f770fd3db40c359
SHA51224b1de72ef691fb4946a771176c87c103f6b8995c4e150fd60a7634c76ae10415cd1833c5632e25fee4e4d591213dcecdeeb8736523e0660c4fbadb25793975a
-
Filesize
224B
MD56eaa45555be933ac4fd58f19e643a715
SHA15c08770b034154bd9e7bd853beea0a1f6f2cbeae
SHA2562e60663dbc1e9587a09524d42681d14ebe689154ab0ed1b7a9befa89638c4fca
SHA512193db2099e4c40d5fcd0e4a596a1f2db4b2d89e7fd2320461677fd01560649dec41d3ab06133f3ea9490472ab8f608247ca908694616ac2972f0cc4bb637ceb8
-
Filesize
224B
MD57eef6af33c6be9abd1141212f966440a
SHA1aefd193b4158f54a7effb30091e870f4143c9abe
SHA256633b99334aeac4dd6ec66e2e90f90cf8b98212a7756e6ebf02effc5c81745372
SHA5122ed857d25cbed2486221ae30b41ad0821334e089addb216b750f9e11df3902ffbaa439d530cf007f300d287a3b7f79b4392b1270c2a8c41faa1dbd550ce6aeaa
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
224B
MD5d7213dea21d90582e57766730bfc2573
SHA139f88acdf78cc28dce47da7b372bf845d64a7261
SHA2564e8d40965e9358a36e060d972de90d756844ba93160cda5fd653d4f85b735004
SHA512e2dac001ac1a1e251d7556fc46546426cb3cbf3ca45d2da7e72ed20d569708a45d16fec2afe98a2c8fad5376715b71430da3384ed7a4988c1c45f2c881a732dc
-
Filesize
224B
MD58b9a225972cf21da7a322b334373dcee
SHA1c75519e9e1e08509fb9f09bc58c56769f5b43a1a
SHA256f768440a409e73bf81063ce0e3f565fab05436005758b0e3720403ef3e189aa4
SHA512c2ec5fc04c34b334c9049ebfbade9fe46fe121061ec15604707bf4bc613921227fa59c3ed06020cbac7abbdbd475a38d574b13f3d3a1c2c195d0205fd5e623e6
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
224B
MD5d6948ea745702a35733ebf1723a6681e
SHA15539a968d50bcb729b792f0e602ea88b11388efa
SHA2567d58f2c2b10beeaf9f0fbd4cbf2ecc5bcf1e27e66d0d5a47a1889274a89dd5fb
SHA5121f7055475e007ce550112c38418102591f6f6b20368238cdc0623ba79bc1d77209740e499371d9fbfac8be0d038a32f5beebea94e5307b568298ca0c61cc1dd4
-
Filesize
224B
MD5ebac7241d46059adbefa41124dade84d
SHA157905f0ba723ea2ab7c42c4ca4ebc59bb7eb825c
SHA256fa02529434d46cf17486b0ce37316b9f281220a943f51812f0a4112889586fe8
SHA5121a0be4f7770322425473062a778498ecb54d1ca4820c32b8493c1b94c8919c8ec2fe518a1e6d258e97aaaa72cfe44ee0e86961223aa65feacc743e52e29b6029
-
Filesize
224B
MD5631d63e11210b3082dc6357c0d73bd34
SHA1d0ec58a0d44ccb47e06dd3f7e75e7e599e3db750
SHA2564e46144d9c8b7f261cadbd7fb335e3de660f2a1a4307bc68e3943a044373aceb
SHA5127087f213252b2cb987ac039e152a4ba7fc3840175d4128c8771ebc148ab74d12ffc70ef7da5eb46306df50cb0327de6c5fe9ffcb830eefd34c35e14e5bf04b99
-
Filesize
224B
MD57d612f8b16dc0ff1d1bbe3d5d38ff18d
SHA1c59a28ae88300b3e218455b9a02b3cd643cd7e4f
SHA256a3ca7ebb9b6c3d2158b9dcf77be497ab2cd26af65e561c171335a58a27a00754
SHA512558518e537864ad93b93c240917bd37af7b760fa710f622051ec3d50f8208008955109121eee6959afd980adfbf87deea16ca474291290d024c651290b83529c
-
Filesize
224B
MD5944c2ebdd10703b8b4e10a7d71916167
SHA194e5aa9663ca7017a790292cfa24e69081bcd280
SHA2568669d28de44d77f2421fd9cfc201d5c2497c97a5c1a0b2a9bc4d09e92ed1b23c
SHA512bac04c13837895183c7ea583219c01be3e6507bda87b690b3fba320d3996dd04e688479b01596c0829a44224e48decaa87e1ce54c0cd9d24ba27e80f98119f31
-
Filesize
224B
MD5e933a4754fdcc38b8917285ac1fbf8e0
SHA1b3ea1671d6ed7b04b5e3d79d8b1485948e7addc9
SHA2567c21e2338bf717619f5b62712c680485c8a0968279cbc38bc3aacdbed3237dfa
SHA51228c1863bcad51249b72f2fc1efba43bfbedc1e1809cabea2e983472e62d581de9bf8475b03a927cb37ee612ed7a46488d4d0c22fd127be92ebd952d3242467c3
-
Filesize
224B
MD5eea07ec2ac4835719d0a656c29622b93
SHA1fc48409115c275edaefd41ed370dcb19e58a756a
SHA2568a94bf2f550a15bc0abad7c3c1c7baebe0073b0f9312cd32fd7e6b49c0b1a354
SHA5120faa9e99b224c5f8171acf3466fabbdaa0de512c1a0ee881a2c6f36eb4561ece81493a461a5c8910e42dece0913921d05a54701eecde6fa6def42c6ed11916b7
-
Filesize
224B
MD569f5fee6a3908adf8a8e7b016127f60a
SHA1d1fd255e6f6122e4a24729d27efb65dce0bb0c23
SHA256b934ffee25d293eee9bc66c0bac8320f3cd1704ca4dfb1935380aa9903d15862
SHA5126f0e35a0f0ac4f978ee928e4ac2b247ca5a6672994905ade391c24ca5e9ba45a69b6f66f31a33412dd181b8280e51e85aa3142d55b26a8de25f1cc53c154eb7f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b5ea56f3e3873e61e6ae8b9b4b0488d4
SHA190570fd9bc2765ca4260fc3104274f08b042dba5
SHA25650c88031e305740f6e3d73eb07a5ec92ec08a9d0eca884aefa2cc5131203001c
SHA512f3435795df45ee744481844d86916fd0ce94a86486e873ce19a17792d9d2256c2d90e668ea9e6491956468b7307f643cabdde2c08877ee764c016d22667978c7
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478