Analysis
-
max time kernel
142s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:50
Behavioral task
behavioral1
Sample
JaffaCakes118_d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5.exe
-
Size
1.3MB
-
MD5
3b901ad8a508e56be9e9453085f6cdd3
-
SHA1
4fd624efe04557c69fba0bbad5ce156ba7e1d4ed
-
SHA256
d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5
-
SHA512
b693d6e6db976fbde730191ee73ac3d9fa48c6fc9e9cf663af951fcdf6895ed15d5c6b51e14e9d6a136b71499a5564d94b16b5edd58bfd4150c09c51ab4dcbba
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2732 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2732 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x000700000001903b-9.dat dcrat behavioral1/memory/2560-13-0x0000000001290000-0x00000000013A0000-memory.dmp dcrat behavioral1/memory/348-73-0x0000000000B50000-0x0000000000C60000-memory.dmp dcrat behavioral1/memory/1736-192-0x0000000000C30000-0x0000000000D40000-memory.dmp dcrat behavioral1/memory/1776-252-0x00000000001C0000-0x00000000002D0000-memory.dmp dcrat behavioral1/memory/3036-312-0x0000000001320000-0x0000000001430000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 792 powershell.exe 1912 powershell.exe 2424 powershell.exe 1452 powershell.exe 1612 powershell.exe 2348 powershell.exe 816 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2560 DllCommonsvc.exe 348 OSPPSVC.exe 1688 OSPPSVC.exe 1736 OSPPSVC.exe 1776 OSPPSVC.exe 3036 OSPPSVC.exe 2852 OSPPSVC.exe 600 OSPPSVC.exe 1988 OSPPSVC.exe 1584 OSPPSVC.exe 448 OSPPSVC.exe 2212 OSPPSVC.exe -
Loads dropped DLL 2 IoCs
pid Process 1852 cmd.exe 1852 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 22 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 18 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 36 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\VideoLAN\dllhost.exe DllCommonsvc.exe File opened for modification C:\Program Files\VideoLAN\dllhost.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\5940a34987c991 DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\rescache\rc0006\dwm.exe DllCommonsvc.exe File created C:\Windows\rescache\rc0006\sppsvc.exe DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\lsass.exe DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\L2Schemas\wininit.exe DllCommonsvc.exe File created C:\Windows\L2Schemas\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2844 schtasks.exe 2264 schtasks.exe 3036 schtasks.exe 1712 schtasks.exe 1420 schtasks.exe 2884 schtasks.exe 2612 schtasks.exe 2680 schtasks.exe 2836 schtasks.exe 352 schtasks.exe 2428 schtasks.exe 1944 schtasks.exe 1948 schtasks.exe 1332 schtasks.exe 1680 schtasks.exe 1020 schtasks.exe 1844 schtasks.exe 1736 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2560 DllCommonsvc.exe 2560 DllCommonsvc.exe 2560 DllCommonsvc.exe 2560 DllCommonsvc.exe 2560 DllCommonsvc.exe 2348 powershell.exe 2424 powershell.exe 792 powershell.exe 1912 powershell.exe 816 powershell.exe 1612 powershell.exe 1452 powershell.exe 348 OSPPSVC.exe 1688 OSPPSVC.exe 1736 OSPPSVC.exe 1776 OSPPSVC.exe 3036 OSPPSVC.exe 2852 OSPPSVC.exe 600 OSPPSVC.exe 1988 OSPPSVC.exe 1584 OSPPSVC.exe 448 OSPPSVC.exe 2212 OSPPSVC.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2560 DllCommonsvc.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 792 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 816 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 1452 powershell.exe Token: SeDebugPrivilege 348 OSPPSVC.exe Token: SeDebugPrivilege 1688 OSPPSVC.exe Token: SeDebugPrivilege 1736 OSPPSVC.exe Token: SeDebugPrivilege 1776 OSPPSVC.exe Token: SeDebugPrivilege 3036 OSPPSVC.exe Token: SeDebugPrivilege 2852 OSPPSVC.exe Token: SeDebugPrivilege 600 OSPPSVC.exe Token: SeDebugPrivilege 1988 OSPPSVC.exe Token: SeDebugPrivilege 1584 OSPPSVC.exe Token: SeDebugPrivilege 448 OSPPSVC.exe Token: SeDebugPrivilege 2212 OSPPSVC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2564 wrote to memory of 1160 2564 JaffaCakes118_d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5.exe 30 PID 2564 wrote to memory of 1160 2564 JaffaCakes118_d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5.exe 30 PID 2564 wrote to memory of 1160 2564 JaffaCakes118_d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5.exe 30 PID 2564 wrote to memory of 1160 2564 JaffaCakes118_d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5.exe 30 PID 1160 wrote to memory of 1852 1160 WScript.exe 32 PID 1160 wrote to memory of 1852 1160 WScript.exe 32 PID 1160 wrote to memory of 1852 1160 WScript.exe 32 PID 1160 wrote to memory of 1852 1160 WScript.exe 32 PID 1852 wrote to memory of 2560 1852 cmd.exe 34 PID 1852 wrote to memory of 2560 1852 cmd.exe 34 PID 1852 wrote to memory of 2560 1852 cmd.exe 34 PID 1852 wrote to memory of 2560 1852 cmd.exe 34 PID 2560 wrote to memory of 2424 2560 DllCommonsvc.exe 54 PID 2560 wrote to memory of 2424 2560 DllCommonsvc.exe 54 PID 2560 wrote to memory of 2424 2560 DllCommonsvc.exe 54 PID 2560 wrote to memory of 2348 2560 DllCommonsvc.exe 55 PID 2560 wrote to memory of 2348 2560 DllCommonsvc.exe 55 PID 2560 wrote to memory of 2348 2560 DllCommonsvc.exe 55 PID 2560 wrote to memory of 1612 2560 DllCommonsvc.exe 56 PID 2560 wrote to memory of 1612 2560 DllCommonsvc.exe 56 PID 2560 wrote to memory of 1612 2560 DllCommonsvc.exe 56 PID 2560 wrote to memory of 1452 2560 DllCommonsvc.exe 57 PID 2560 wrote to memory of 1452 2560 DllCommonsvc.exe 57 PID 2560 wrote to memory of 1452 2560 DllCommonsvc.exe 57 PID 2560 wrote to memory of 816 2560 DllCommonsvc.exe 58 PID 2560 wrote to memory of 816 2560 DllCommonsvc.exe 58 PID 2560 wrote to memory of 816 2560 DllCommonsvc.exe 58 PID 2560 wrote to memory of 792 2560 DllCommonsvc.exe 60 PID 2560 wrote to memory of 792 2560 DllCommonsvc.exe 60 PID 2560 wrote to memory of 792 2560 DllCommonsvc.exe 60 PID 2560 wrote to memory of 1912 2560 DllCommonsvc.exe 61 PID 2560 wrote to memory of 1912 2560 DllCommonsvc.exe 61 PID 2560 wrote to memory of 1912 2560 DllCommonsvc.exe 61 PID 2560 wrote to memory of 2656 2560 DllCommonsvc.exe 65 PID 2560 wrote to memory of 2656 2560 DllCommonsvc.exe 65 PID 2560 wrote to memory of 2656 2560 DllCommonsvc.exe 65 PID 2656 wrote to memory of 2512 2656 cmd.exe 70 PID 2656 wrote to memory of 2512 2656 cmd.exe 70 PID 2656 wrote to memory of 2512 2656 cmd.exe 70 PID 2656 wrote to memory of 348 2656 cmd.exe 71 PID 2656 wrote to memory of 348 2656 cmd.exe 71 PID 2656 wrote to memory of 348 2656 cmd.exe 71 PID 348 wrote to memory of 1108 348 OSPPSVC.exe 72 PID 348 wrote to memory of 1108 348 OSPPSVC.exe 72 PID 348 wrote to memory of 1108 348 OSPPSVC.exe 72 PID 1108 wrote to memory of 3060 1108 cmd.exe 74 PID 1108 wrote to memory of 3060 1108 cmd.exe 74 PID 1108 wrote to memory of 3060 1108 cmd.exe 74 PID 1108 wrote to memory of 1688 1108 cmd.exe 75 PID 1108 wrote to memory of 1688 1108 cmd.exe 75 PID 1108 wrote to memory of 1688 1108 cmd.exe 75 PID 1688 wrote to memory of 2340 1688 OSPPSVC.exe 76 PID 1688 wrote to memory of 2340 1688 OSPPSVC.exe 76 PID 1688 wrote to memory of 2340 1688 OSPPSVC.exe 76 PID 2340 wrote to memory of 780 2340 cmd.exe 78 PID 2340 wrote to memory of 780 2340 cmd.exe 78 PID 2340 wrote to memory of 780 2340 cmd.exe 78 PID 2340 wrote to memory of 1736 2340 cmd.exe 79 PID 2340 wrote to memory of 1736 2340 cmd.exe 79 PID 2340 wrote to memory of 1736 2340 cmd.exe 79 PID 1736 wrote to memory of 1664 1736 OSPPSVC.exe 80 PID 1736 wrote to memory of 1664 1736 OSPPSVC.exe 80 PID 1736 wrote to memory of 1664 1736 OSPPSVC.exe 80 PID 1664 wrote to memory of 2004 1664 cmd.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f3YgPfhNWN.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2512
-
-
C:\Users\Default User\OSPPSVC.exe"C:\Users\Default User\OSPPSVC.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3060
-
-
C:\Users\Default User\OSPPSVC.exe"C:\Users\Default User\OSPPSVC.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:780
-
-
C:\Users\Default User\OSPPSVC.exe"C:\Users\Default User\OSPPSVC.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2004
-
-
C:\Users\Default User\OSPPSVC.exe"C:\Users\Default User\OSPPSVC.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"13⤵PID:2672
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:536
-
-
C:\Users\Default User\OSPPSVC.exe"C:\Users\Default User\OSPPSVC.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"15⤵PID:1956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:108
-
-
C:\Users\Default User\OSPPSVC.exe"C:\Users\Default User\OSPPSVC.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"17⤵PID:688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2012
-
-
C:\Users\Default User\OSPPSVC.exe"C:\Users\Default User\OSPPSVC.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"19⤵PID:2932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1764
-
-
C:\Users\Default User\OSPPSVC.exe"C:\Users\Default User\OSPPSVC.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat"21⤵PID:2088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2336
-
-
C:\Users\Default User\OSPPSVC.exe"C:\Users\Default User\OSPPSVC.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"23⤵PID:2976
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2404
-
-
C:\Users\Default User\OSPPSVC.exe"C:\Users\Default User\OSPPSVC.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"25⤵PID:2248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2904
-
-
C:\Users\Default User\OSPPSVC.exe"C:\Users\Default User\OSPPSVC.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD525c943eaa5415a91515144676b4d1f17
SHA1b0160ab5ac4ba36c473607c0343e8272845b6d6b
SHA25678023d56bc3a524808336e4f294a1eb767a6a89c405921c0bb21b7a645c9c2cf
SHA512233f1d4b3a48656e999f2fc95b8cb9a231e676aa202cc8f3c8fe3acbef5bcfde5a2099fcfa83cbdda110d8c32caf0b404e1bfeb266e5640db29f2aa4da4895ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD522d3120ef3a943ecbf02cf36bfb83723
SHA1d2a31e8ece59d8b5090276ab6c4a678a8e250a57
SHA2564f627b714aa934807fa43ffd27c8c4c136f3a0e0b92b9a42ee25652cd5f4215c
SHA51231114d6acc2479e8feb84b3d036523c2f86070f383d7acabf5b88a19dfd7bae2efe0669699c14afe09fc5497e05c8537f3ff44f7e8aad785f072f7760ca174cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5667afdeeaa66d2d94d69d05283844f20
SHA1773e9b5ab41cda46a1b177667909c27304979ab4
SHA2569c40838d974bc8cbe0537670505e77f4746433bc7bd480d321b21bd5c12347a9
SHA5127b6a4f9985879c0768ff8a021d25610cdb50f3b34c264195793d8b1f5507aeeeb5c3a59c002f60ca32488d5078d62e62f8554ae1e7e4c0f969f066768de2d7a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52a4125d1570011fe9d9c9120597bbe64
SHA1ec18be8bb58ade6badcf6772ceba9a363532df7f
SHA2564fae480db15346fe192863bc8b55e634a07ecbcd540fabcbc94b356b0d4c750f
SHA512bf7bf3b9ca1e8b203f3927f2eda229bd3d09f1b6c74046d1b22156529220d70a368f9fe4ca1152a3c1ffd9b70977d84b7373cbce2459f225f58ff82d684e4582
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58d5bb7027a5ada94318302f2b19ff9e6
SHA176088675c1fa7f65689be60808f4bfb588bdf892
SHA256344d89bf65b08eb886620171ad5c2b7b9d3ce71b44cc55c2ab82791f9890d08d
SHA512a18df7bec557ff215f07f7ee85429b74a924d026f2fb5c82723dccc14ac8b9b78a3b432dfb497f403f8b8f02c779a12f6ac759039d4a9f7e6d25fe917f69e545
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aadb7c00f8612b89775be51d617f0170
SHA14967ab5063e893353efec7aa8fa0a89ada198e85
SHA256a6f4b93c56faa197232ce6e778f37300a1f5858c0167d7e79868c9e9fed2a427
SHA5126daef870839c14ca5704e42fe60fce2f2693499df22892f9ccbc45587e99f3ef9fa62000837713d0bd58579538826b20a13593fc198ea358dd5d6595587a0123
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5853fc9ca102934bda99e6b41c9354fbf
SHA1223e0cea9a458a4b814e10544992700328c7f6d6
SHA25622297d8d4356fb4cea2b8dfde5b1439be7a76b0d6d194080589c121f4bd2b417
SHA512961bc62f7c88098998c705c7f760ea9cdad644ae0a039fce96d1e70a34005f85420e0062bd4defb362fe7a0fd0413e00642084218431dfbb9a3602bc1be287cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59ee2f1ecb23662e74e4f74d355c6aef2
SHA1a477b6b96ae3ac169c17db960ea58d36ac8e5700
SHA256931bed6b6b2ffba472bb453dd8a3fa9958711231818583e6cc9703e30177d125
SHA512c192d5a74393655f640f8001561e5d4498e83fb786f21c73da2b63a9853d26f9aa5274790b8c930749ee01f2b2f3b94f8d65c83434f7ab3ad534a812df900cc7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b15904bff78b8d3ed1df8c23c985131c
SHA16bef5e20b4906258e8dbd1253fe9b30db481caf1
SHA256f1f154e492bccaa7d84706879dc11731a35557a2f34a67b801540d2540be933f
SHA5128dc4b3e741be6df7d3914c8fb988a367bdc6b41ebba6c8d1bf35ce27ea3e05ca63627556bbbad9a49ed3c4c4027f63e86a37bf97b2c441b4f516c1f401bc4cff
-
Filesize
198B
MD5cc746bc941946d90d820a9bce07dceec
SHA19eb0b346975da4ea7ea622163eec9ad9c3b895da
SHA25633815f8f6dc08adc16040838f1aeff2d249d3dcbc29c29dd27a23545259f09bd
SHA5123bab33a6d16a5e366aa98208b7620e567294d86ed837dc034931ba4d01ec0c32a628d7178ee15dc01e29fb5fc45965c17d1bb39fc809bcc7264af0fabbd8f43b
-
Filesize
198B
MD5829b6b741dbf9bd74d543d4054d6af8c
SHA1d17e682f7daacb3de5298bfee373042e13a074f4
SHA256741a8839eab2da4eb7330e9fa86116e9e3e89b9549fc7757bb91ca4ccfb0a4c2
SHA512fdccb4a639ee4db9b681fff6f4e69747ff163c4d5dbba4716da7402acacd36014406cdf838534315af20864ee55426b71c7f6dbd2a726345264230ece368bd62
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
198B
MD58047d3ef2d65029b70e7b18b5c9f84ec
SHA1bacd5a6bdba57e8d31ab8082b31b0ea8f8e9c252
SHA2565a533df13cba22090b766e5e25db6c9034bc4dc24f39801028ba5527a80beafc
SHA512fbec3fae711642fe8ee1007acd13593f847ae2d0049eeed9243248f3bc92ce0145a56ef498583877e9b04d74f96ce43a962233fef5c0319e7b62279c214c20bf
-
Filesize
198B
MD55857defe24c82051e051336e91ecc1fc
SHA1f8546fc31646ff95400ab173cd19c467118bcf7e
SHA2567d544a286be065d54017de79115d613a7fadb5181175eabe76ae3251fd2e6954
SHA512c1284d75662b16550a31e948ff65635ba5c7089641d0bee13f3bdc7f739b55b5195348e7255713f059b17f76de87a138cfd21348869ed1ab5feb093ab4ab5124
-
Filesize
198B
MD5e1fb67ab3fe916e22c244b544d71927b
SHA172ab05f06f744c416122e162869b980130797458
SHA2562a885266dbfce77ffa2c4531985426666587f7ab368b8d21317a3247d33fd21b
SHA51276e783cbf769c2bed6e125aa06b77f3788b05b98059fba2ed193b23e2560e24ca6d876f61d9cbc89f27fe182dde278f9f30b94a9de421dbf489dbf8031542791
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
198B
MD58f6ea170d6c5dce0ed139b73d355de62
SHA1f0d2b4067391c0d64777cae7b89b7e783368cc1c
SHA256dbeb2f47426ef7436cd33ad0fda07ba078498bcdf007e35769ec3f0756d2352f
SHA512130cab270a2f7d65b4742a6da2f2ef973c2af22e3f7e03c250868c54d53eab4a36da612e931c936cf98af6e1df4cc9b665d321f2e05e5aad77050e45ca7ab4e3
-
Filesize
198B
MD5a427f0d5306b8eeaf544cfb6e75a7107
SHA16009d167e4c1548384c946704ba29bd7e952dd1f
SHA2567f87c64e1f06cc6582c5df154d5ee11655573319b98700eb6b0b2509fd9f8c76
SHA512bbd2e97e7f5c490ab18d945db45de52d434386b31e72ba089949e9edb40196139233231092eb8f0c7888590dd2a81245369e8cf49e66a0cd2c380e02773c482d
-
Filesize
198B
MD54cc446d2e55c0b840c18da4abd588812
SHA126cd2fa18a4d37785dc99b2ffb2b13867a8cd5eb
SHA256b88b1d2528c05b82ce40fe6fcdf52219cd35d155bdaca05cbc78385b64bda73b
SHA512179035e013c08e8c38addd093421707ec888ca29c0fc41d220dbb836acf60956cb25ad64e5d9d7f1938c5542de023bf7cb4da11a6d18265fffbae1885b6bc973
-
Filesize
198B
MD567841aee7388bd999cf6ea5901128839
SHA18d642f34819b316e06c4c89f09a9ef5f1e76b8c4
SHA256ab9ed18250e43faf0405db401e634e7e0730a35c344d1e32de6bb7f3d814b874
SHA51238d988d6b8b1113b56a9786caf63c975221a6b3d12b41b0f5def528efea865dac53d8d388dcab6b0ab7180a088e453b2e0094d4bba33cd591c08bce9131483aa
-
Filesize
198B
MD5d9dd4836e7d2e009718dafdd31faf82f
SHA149a0bfc63a489517ce0a39b6aa40d4a2b4a39e95
SHA256ef5c5cf97f096f21f431fb23375204652b7672c973c2bbfeeb18a75b28aa334e
SHA5127e1ca1dcf19d3fdd68f27852a146c586fd244d1480d9a9db2302aa3c0db85b7d49dfc27938ae25db8a156653613250897274c59cc25f25c73ff6638331ba7212
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b47aeeaba9b7d13429095350692456ce
SHA10cb381f421da1a673373c90f51e933a76ab98f8e
SHA2563dc030609ac5878cf130761822d4efffaec317e577814db5341937cdc2715abc
SHA512b3cad1b879e6609052e8651acef17f32c971dfd3f1056f9cc2d02c3bcdbac4a704edae92c2364ec28d995f2bfea25d0a81c8403821ae8099fde1c8006641e3ac
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394