Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:13
Behavioral task
behavioral1
Sample
JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b.exe
-
Size
1.3MB
-
MD5
d570c2c1d9764c8825741e010d5684d1
-
SHA1
9f61d4416189eb1631ecf7dc4e224a3eb379ab73
-
SHA256
3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b
-
SHA512
6a3ba3ca0a1f9bc7baa7411a711fb7ea2519acd14ec8354b972aa33b30115017248f6268fec953507d23dd621dd3820827a17d9d53b8fd0c2b238350bdc42364
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2116 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2116 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016d70-9.dat dcrat behavioral1/memory/2808-13-0x0000000001090000-0x00000000011A0000-memory.dmp dcrat behavioral1/memory/812-66-0x0000000000040000-0x0000000000150000-memory.dmp dcrat behavioral1/memory/1600-125-0x0000000000A20000-0x0000000000B30000-memory.dmp dcrat behavioral1/memory/2132-185-0x0000000001020000-0x0000000001130000-memory.dmp dcrat behavioral1/memory/948-485-0x0000000001280000-0x0000000001390000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 472 powershell.exe 2372 powershell.exe 584 powershell.exe 1148 powershell.exe 2396 powershell.exe 1744 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2808 DllCommonsvc.exe 812 sppsvc.exe 1600 sppsvc.exe 2132 sppsvc.exe 1204 sppsvc.exe 2720 sppsvc.exe 2888 sppsvc.exe 2172 sppsvc.exe 948 sppsvc.exe 2236 sppsvc.exe 1020 sppsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2940 cmd.exe 2940 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 22 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com 19 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Portable Devices\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\a76d7bf15d8370 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\PCHEALTH\dwm.exe DllCommonsvc.exe File created C:\Windows\PCHEALTH\6cb0b6c459d5d3 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2980 schtasks.exe 2548 schtasks.exe 1068 schtasks.exe 2596 schtasks.exe 2964 schtasks.exe 1640 schtasks.exe 2376 schtasks.exe 2176 schtasks.exe 2356 schtasks.exe 1116 schtasks.exe 1440 schtasks.exe 2812 schtasks.exe 3036 schtasks.exe 2996 schtasks.exe 1260 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs
pid Process 812 sppsvc.exe 1600 sppsvc.exe 2132 sppsvc.exe 1204 sppsvc.exe 2720 sppsvc.exe 2888 sppsvc.exe 2172 sppsvc.exe 948 sppsvc.exe 2236 sppsvc.exe 1020 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2808 DllCommonsvc.exe 2372 powershell.exe 472 powershell.exe 1148 powershell.exe 1744 powershell.exe 2396 powershell.exe 584 powershell.exe 812 sppsvc.exe 1600 sppsvc.exe 2132 sppsvc.exe 1204 sppsvc.exe 2720 sppsvc.exe 2888 sppsvc.exe 2172 sppsvc.exe 948 sppsvc.exe 2236 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2808 DllCommonsvc.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 1148 powershell.exe Token: SeDebugPrivilege 472 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 584 powershell.exe Token: SeDebugPrivilege 812 sppsvc.exe Token: SeDebugPrivilege 1600 sppsvc.exe Token: SeDebugPrivilege 2132 sppsvc.exe Token: SeDebugPrivilege 1204 sppsvc.exe Token: SeDebugPrivilege 2720 sppsvc.exe Token: SeDebugPrivilege 2888 sppsvc.exe Token: SeDebugPrivilege 2172 sppsvc.exe Token: SeDebugPrivilege 948 sppsvc.exe Token: SeDebugPrivilege 2236 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2060 2880 JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b.exe 30 PID 2880 wrote to memory of 2060 2880 JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b.exe 30 PID 2880 wrote to memory of 2060 2880 JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b.exe 30 PID 2880 wrote to memory of 2060 2880 JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b.exe 30 PID 2060 wrote to memory of 2940 2060 WScript.exe 31 PID 2060 wrote to memory of 2940 2060 WScript.exe 31 PID 2060 wrote to memory of 2940 2060 WScript.exe 31 PID 2060 wrote to memory of 2940 2060 WScript.exe 31 PID 2940 wrote to memory of 2808 2940 cmd.exe 33 PID 2940 wrote to memory of 2808 2940 cmd.exe 33 PID 2940 wrote to memory of 2808 2940 cmd.exe 33 PID 2940 wrote to memory of 2808 2940 cmd.exe 33 PID 2808 wrote to memory of 1744 2808 DllCommonsvc.exe 50 PID 2808 wrote to memory of 1744 2808 DllCommonsvc.exe 50 PID 2808 wrote to memory of 1744 2808 DllCommonsvc.exe 50 PID 2808 wrote to memory of 2396 2808 DllCommonsvc.exe 51 PID 2808 wrote to memory of 2396 2808 DllCommonsvc.exe 51 PID 2808 wrote to memory of 2396 2808 DllCommonsvc.exe 51 PID 2808 wrote to memory of 1148 2808 DllCommonsvc.exe 52 PID 2808 wrote to memory of 1148 2808 DllCommonsvc.exe 52 PID 2808 wrote to memory of 1148 2808 DllCommonsvc.exe 52 PID 2808 wrote to memory of 584 2808 DllCommonsvc.exe 53 PID 2808 wrote to memory of 584 2808 DllCommonsvc.exe 53 PID 2808 wrote to memory of 584 2808 DllCommonsvc.exe 53 PID 2808 wrote to memory of 2372 2808 DllCommonsvc.exe 54 PID 2808 wrote to memory of 2372 2808 DllCommonsvc.exe 54 PID 2808 wrote to memory of 2372 2808 DllCommonsvc.exe 54 PID 2808 wrote to memory of 472 2808 DllCommonsvc.exe 55 PID 2808 wrote to memory of 472 2808 DllCommonsvc.exe 55 PID 2808 wrote to memory of 472 2808 DllCommonsvc.exe 55 PID 2808 wrote to memory of 1344 2808 DllCommonsvc.exe 62 PID 2808 wrote to memory of 1344 2808 DllCommonsvc.exe 62 PID 2808 wrote to memory of 1344 2808 DllCommonsvc.exe 62 PID 1344 wrote to memory of 780 1344 cmd.exe 64 PID 1344 wrote to memory of 780 1344 cmd.exe 64 PID 1344 wrote to memory of 780 1344 cmd.exe 64 PID 1344 wrote to memory of 812 1344 cmd.exe 65 PID 1344 wrote to memory of 812 1344 cmd.exe 65 PID 1344 wrote to memory of 812 1344 cmd.exe 65 PID 1344 wrote to memory of 812 1344 cmd.exe 65 PID 1344 wrote to memory of 812 1344 cmd.exe 65 PID 812 wrote to memory of 2900 812 sppsvc.exe 66 PID 812 wrote to memory of 2900 812 sppsvc.exe 66 PID 812 wrote to memory of 2900 812 sppsvc.exe 66 PID 2900 wrote to memory of 2624 2900 cmd.exe 68 PID 2900 wrote to memory of 2624 2900 cmd.exe 68 PID 2900 wrote to memory of 2624 2900 cmd.exe 68 PID 2900 wrote to memory of 1600 2900 cmd.exe 69 PID 2900 wrote to memory of 1600 2900 cmd.exe 69 PID 2900 wrote to memory of 1600 2900 cmd.exe 69 PID 2900 wrote to memory of 1600 2900 cmd.exe 69 PID 2900 wrote to memory of 1600 2900 cmd.exe 69 PID 1600 wrote to memory of 2472 1600 sppsvc.exe 70 PID 1600 wrote to memory of 2472 1600 sppsvc.exe 70 PID 1600 wrote to memory of 2472 1600 sppsvc.exe 70 PID 2472 wrote to memory of 2468 2472 cmd.exe 72 PID 2472 wrote to memory of 2468 2472 cmd.exe 72 PID 2472 wrote to memory of 2468 2472 cmd.exe 72 PID 2472 wrote to memory of 2132 2472 cmd.exe 73 PID 2472 wrote to memory of 2132 2472 cmd.exe 73 PID 2472 wrote to memory of 2132 2472 cmd.exe 73 PID 2472 wrote to memory of 2132 2472 cmd.exe 73 PID 2472 wrote to memory of 2132 2472 cmd.exe 73 PID 2132 wrote to memory of 2452 2132 sppsvc.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\myKUpRCvQy.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:780
-
-
C:\Program Files\Windows Portable Devices\sppsvc.exe"C:\Program Files\Windows Portable Devices\sppsvc.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2624
-
-
C:\Program Files\Windows Portable Devices\sppsvc.exe"C:\Program Files\Windows Portable Devices\sppsvc.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2468
-
-
C:\Program Files\Windows Portable Devices\sppsvc.exe"C:\Program Files\Windows Portable Devices\sppsvc.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"11⤵PID:2452
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1148
-
-
C:\Program Files\Windows Portable Devices\sppsvc.exe"C:\Program Files\Windows Portable Devices\sppsvc.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"13⤵PID:2572
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:3048
-
-
C:\Program Files\Windows Portable Devices\sppsvc.exe"C:\Program Files\Windows Portable Devices\sppsvc.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"15⤵PID:700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1600
-
-
C:\Program Files\Windows Portable Devices\sppsvc.exe"C:\Program Files\Windows Portable Devices\sppsvc.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat"17⤵PID:956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:472
-
-
C:\Program Files\Windows Portable Devices\sppsvc.exe"C:\Program Files\Windows Portable Devices\sppsvc.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"19⤵PID:2828
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2564
-
-
C:\Program Files\Windows Portable Devices\sppsvc.exe"C:\Program Files\Windows Portable Devices\sppsvc.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"21⤵PID:2660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2080
-
-
C:\Program Files\Windows Portable Devices\sppsvc.exe"C:\Program Files\Windows Portable Devices\sppsvc.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat"23⤵PID:332
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1400
-
-
C:\Program Files\Windows Portable Devices\sppsvc.exe"C:\Program Files\Windows Portable Devices\sppsvc.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2eaa1940d68d29f620c9b735be1c9ce
SHA14dc97840615856067ffa6280fb1d6204f2d6c785
SHA256852b8738d00276c92475e69973c2242d7b9f445be5a947056b7ca8fdaabd4578
SHA512d903690cc59c7898bdc651835484b72c0c9353a0370cdf236c55ab0fa78a3daf113e38fc45c80179108bf6952a8d3ac68025818806abad6e8201712908263f06
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5feab4f73b0b2f6fe6f85455b0b105872
SHA1dd615bdd778429826c1c064d31669c3d9b5e416a
SHA2565eef40cf0521b748bad0cf18323daa91dd08f731db8004ba996268a79f6cff4a
SHA512dfe4666965b025ee6dde3f69d1d9ffb5fbd907333153261105f9b7484c7f1075d0a855d059d97e5300597994f8859c6f3c1c6977565430cddfdaf5f39f71a5dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd5a17155c0d82acc8eb5f53aa67e292
SHA1177e3662cd453784f2e77e1d0196c8ab25ad4428
SHA25679c2f56a69cb9317d28ef78f7658d8548bff1724bac8898bd76e0014f36c90a6
SHA512a1464ad2acf6ec3d31da443b8307f8fec86c45804cd5deffc2b08427ea058240dba147bcde7c5610db96e79eecbc7dc631322ef134a2b496947f0c47661dcaf4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD591d9b4a9c8cd589c397844080929343b
SHA19e4a3d041777c3e43221d5bf39c9d35f197251ab
SHA2567103428c05827f64f6dd28ef29cc9c215134a4105d9386b4020773008a5e4279
SHA5125727d56b637d718e913660c66892aa41b4e018372f877b78ec57ca9540ee71c306e3b6dc72700b62ca1c0afe6d68522f7968b2cb07a230b4237455fa0674f6fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5825226ad081413e06599acd3689b6f28
SHA18251c2c3b2922ed7e94e72c2c35031d7846693a6
SHA256426cbd866f96b5adf2c8e87935c4866ea02e323e482e61ef4b6d8c3cbe2998a9
SHA512cb0244a0406f33309881e1619e2c2c61864bc2986398906d5cc51440686953e22475ea2f7cb9c556802967a906ef4de189c91ebffe788bd7f30ea6f4ff06ff3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57e287092fe7733adba078bf324be8bfe
SHA12f95f0853735d879ea454b65bca4872366b97b97
SHA2561077de8aee398c63d84bd906a49a9360db744d2a9a04984b5af7be12cefaf408
SHA512b3d62785f720650abd9ff27580cbcf01ac9284892d79ac889d374916743f870cac1c45e11550fe0c50fab63c5701dbca33594d01d308e0ae73367e6395257d86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53385f0d374515441d9ffa8a8a6bc5ec5
SHA149b34ef4c2766508f4ca58b6d26d8bc444289ff1
SHA2569cd722d92ef405c652ed8ae5640dcd69bdc9b4444f7de9f50210e6a758da5442
SHA512c4557ffe8bd691e3c74cfecdda5624306c1f0232ed604c384fb639592a9df65424e5ff12f08761b4e368e59a4721d578afa813f3ba95b8a26f25926135e5587b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fe1a51c58b7fb074764a7573155c9203
SHA13c99177469d0f2f4a0ac7888261919b7888ceb9a
SHA2561c12469284c89a567d807f7a542668292973a0aa4a5eec9d47641aa4e3365b4f
SHA512a1008af1f182f075a579fcbd2d369c9836e3ef8577f631dd64f3a33e944e7d384447ad7eef58a9bc7846141ad77ce213c5a91cdb9520ec7e858cb64f93f58fc1
-
Filesize
217B
MD525b2bd8a11f11e27b34a1ff566931a20
SHA118d9b7ad87a92cb58481b6115f639320adf169fd
SHA25612f8a3d97d7c8c2c24f173410d43b1c02ddde5fa836bdb5f854ae066a40f0cec
SHA512aafcb0ec2e65568d494090bff47c250540d493c40ed001ef3503131cc3f222e229fa7c2d014b05ee2807753ded17c05ea9946ed105960442d856068ce97f088c
-
Filesize
217B
MD5122ac2d02b74e78cec0e3dbf4bd21b16
SHA139855e7fa356b5bfd9de15655aedd5e55447eb32
SHA2569103179e959c92b31f914c69c01a81a6e24b26cc2bbd7b8dffb49e96f701477c
SHA51260e1e99d379157611ce16be90e60b8b9ff679e5a96db339f85dac5ac8709119510ea3d3cfbd59b00d72d3fe151f9a5b39868f12b3f95074103c22270da0b6a14
-
Filesize
217B
MD5e68abafdc365cf2c10c2bc094c6ab4e4
SHA12708323cfc0a4e0d1849d7ab028facbf30ef63fe
SHA2560913d4e6e9e3e3af59fc4c07561234d55fe02f6fd5c1ea91c01c8c38aea8a521
SHA51207ec74b00adbcea6cd87d76166ec6c2439ce5bad6f402d595b0050ad374251247f1f8719e971441e9bd9178295999be19c5bea941d9d0f6ae6b410ab2fe3a156
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
217B
MD5238cf6f25e477d3eca8a14391673e66d
SHA1ad9415e815dafd3f934613c3236f27a771742dd6
SHA2564cee60ca4be426329b93731c8525641e17908b3300b6fe09cd9156707feb3f58
SHA512ac941441f3ebb2fda2b5870870400902bb9b71f80b259402d1863a1c9c3af128f365ee40a196cf3003023ecf191c3b735ba13bae4445a75a6807e8f1e1b036da
-
Filesize
217B
MD5e4498184313813e8360a8809c212930c
SHA1e07260d14ce4d1004c6e56ee4f8d2bb80cbe0cf9
SHA256106ec11b9920f941b8e4680acc45e1a1a87fa02ab6aa7e69e31a607059f8a99a
SHA5123e3a67be6a7ffaf6162f4747137f71f1b43c65763239501c0018f5905883ab8801281de2ef8940e41a4a4076bb527d724cec43714a79840b0ec3e199fc1d1bef
-
Filesize
217B
MD5490286e1c068886d78ec6226e4b79754
SHA193331fd52f7cbd73050a35f5774a1096f2d7ce54
SHA256ffe8b09cf5b42b0e7c0d6cb74de5a8d5fc0d7e767202341c6f19ebc6f2ceab73
SHA51276779dd3a46d86bba9c67973b4f2327f74e20cb787024521fd260f3523822c297a380f6902ca09deaf096346f1c7ee5e89e6eaa08a934743283b3a63cded5954
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
217B
MD55d7ca1c334756f83b82a88b3bab0a442
SHA1b0681fd8b1c346567575e61cb37783c62f657a13
SHA2564b5b34afec51b543abdca99fae7041b494be6e0f357a69ff031fbb16ec75acc3
SHA5128777d6e99eb0b0b8db9a60dc871777eecc44d24dcfb3858e06a8a9fe3ea930c2f5915cdf9d2ca2d501f984dc27f49accead2396607cdb8f057f29bdfe47f5524
-
Filesize
217B
MD55b589257cbb1f0148d43bb132b7994e1
SHA14e035a63f6326c3ca4e9d6babcdd7d93045aa90d
SHA256195335a05146ebe618fd3aced7f48f632155cdc49cfd64c90362c2a55b76bfa4
SHA51216a6618d5a4bba0aaf150d02d9684dfa483f610eb27b462e4b054c65be5571cd348ac7be67f54230f8c0046e10bd30f1625b0918d721520a4739e765eb6eeeb0
-
Filesize
217B
MD5ba5ae03f2509447fc2f95d12b56238a3
SHA187d2ada50b8cf262cacb7203addeb4083fcbea7c
SHA25626c71e563de88ddcf55503a69e29bca665f5fb941bcfa79e9fe9581170c7ae49
SHA51241dea4678dab72c3a8038b57c569cfadf8308b7341e4c6bb96a4350620145421748e2a35b80cc79e206ce0533e9b86788b978ba882b76a3cb5dcab6b52b622ef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bbe15abb050d7e5357fb102d6cf0302a
SHA100197501771174091b715cdacac189e8d97a6ecb
SHA256c7bf4444a1bd38b5c3e6ef2fdfb54c52f800de4be05d839ab649d9d21d23fcee
SHA5123475454ff4d8d20853ec12161daebb52cac5d6b91667e1f890c5e5b96869584476433d8a18c463f7bb587927314f80e12313f6edaeab3252f83527a1c2b5ce0f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394