Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:21
Behavioral task
behavioral1
Sample
JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389.exe
-
Size
1.3MB
-
MD5
fbc0492478d6a0ce76f09ff19db60c65
-
SHA1
c7815fb0ffeee30f98b6e762bdeb2c784d14f15a
-
SHA256
d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389
-
SHA512
4f6b740f9ef5b1fec951aaaeb3563832c95c61144de231f1b0e133bebe9ddf4eb94f071a730477003a9f4a7bb7ee1dcd0aabfb1292607aaabc1bae16356b7acf
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2812 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2812 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016d49-9.dat dcrat behavioral1/memory/1996-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp dcrat behavioral1/memory/2968-63-0x00000000008A0000-0x00000000009B0000-memory.dmp dcrat behavioral1/memory/2908-122-0x0000000000DA0000-0x0000000000EB0000-memory.dmp dcrat behavioral1/memory/2800-300-0x0000000000210000-0x0000000000320000-memory.dmp dcrat behavioral1/memory/2256-360-0x0000000000F10000-0x0000000001020000-memory.dmp dcrat behavioral1/memory/1532-479-0x0000000001350000-0x0000000001460000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 728 powershell.exe 1744 powershell.exe 2040 powershell.exe 1340 powershell.exe 768 powershell.exe 1760 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 1996 DllCommonsvc.exe 2968 spoolsv.exe 2908 spoolsv.exe 2092 spoolsv.exe 2744 spoolsv.exe 2800 spoolsv.exe 2256 spoolsv.exe 2008 spoolsv.exe 1532 spoolsv.exe 860 spoolsv.exe 1072 spoolsv.exe -
Loads dropped DLL 2 IoCs
pid Process 2008 cmd.exe 2008 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 15 raw.githubusercontent.com 36 raw.githubusercontent.com 32 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 18 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Portable Devices\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\taskhost.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\PCHEALTH\smss.exe DllCommonsvc.exe File created C:\Windows\PCHEALTH\69ddcba757bf72 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1912 schtasks.exe 1400 schtasks.exe 2472 schtasks.exe 2824 schtasks.exe 3036 schtasks.exe 2756 schtasks.exe 2580 schtasks.exe 580 schtasks.exe 2312 schtasks.exe 2692 schtasks.exe 2000 schtasks.exe 2748 schtasks.exe 1916 schtasks.exe 2608 schtasks.exe 1268 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1996 DllCommonsvc.exe 2040 powershell.exe 1760 powershell.exe 1340 powershell.exe 768 powershell.exe 1744 powershell.exe 728 powershell.exe 2968 spoolsv.exe 2908 spoolsv.exe 2092 spoolsv.exe 2744 spoolsv.exe 2800 spoolsv.exe 2256 spoolsv.exe 2008 spoolsv.exe 1532 spoolsv.exe 860 spoolsv.exe 1072 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 1996 DllCommonsvc.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 728 powershell.exe Token: SeDebugPrivilege 2968 spoolsv.exe Token: SeDebugPrivilege 2908 spoolsv.exe Token: SeDebugPrivilege 2092 spoolsv.exe Token: SeDebugPrivilege 2744 spoolsv.exe Token: SeDebugPrivilege 2800 spoolsv.exe Token: SeDebugPrivilege 2256 spoolsv.exe Token: SeDebugPrivilege 2008 spoolsv.exe Token: SeDebugPrivilege 1532 spoolsv.exe Token: SeDebugPrivilege 860 spoolsv.exe Token: SeDebugPrivilege 1072 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2308 2368 JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389.exe 30 PID 2368 wrote to memory of 2308 2368 JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389.exe 30 PID 2368 wrote to memory of 2308 2368 JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389.exe 30 PID 2368 wrote to memory of 2308 2368 JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389.exe 30 PID 2308 wrote to memory of 2008 2308 WScript.exe 31 PID 2308 wrote to memory of 2008 2308 WScript.exe 31 PID 2308 wrote to memory of 2008 2308 WScript.exe 31 PID 2308 wrote to memory of 2008 2308 WScript.exe 31 PID 2008 wrote to memory of 1996 2008 cmd.exe 33 PID 2008 wrote to memory of 1996 2008 cmd.exe 33 PID 2008 wrote to memory of 1996 2008 cmd.exe 33 PID 2008 wrote to memory of 1996 2008 cmd.exe 33 PID 1996 wrote to memory of 728 1996 DllCommonsvc.exe 50 PID 1996 wrote to memory of 728 1996 DllCommonsvc.exe 50 PID 1996 wrote to memory of 728 1996 DllCommonsvc.exe 50 PID 1996 wrote to memory of 1744 1996 DllCommonsvc.exe 51 PID 1996 wrote to memory of 1744 1996 DllCommonsvc.exe 51 PID 1996 wrote to memory of 1744 1996 DllCommonsvc.exe 51 PID 1996 wrote to memory of 1760 1996 DllCommonsvc.exe 52 PID 1996 wrote to memory of 1760 1996 DllCommonsvc.exe 52 PID 1996 wrote to memory of 1760 1996 DllCommonsvc.exe 52 PID 1996 wrote to memory of 2040 1996 DllCommonsvc.exe 53 PID 1996 wrote to memory of 2040 1996 DllCommonsvc.exe 53 PID 1996 wrote to memory of 2040 1996 DllCommonsvc.exe 53 PID 1996 wrote to memory of 1340 1996 DllCommonsvc.exe 54 PID 1996 wrote to memory of 1340 1996 DllCommonsvc.exe 54 PID 1996 wrote to memory of 1340 1996 DllCommonsvc.exe 54 PID 1996 wrote to memory of 768 1996 DllCommonsvc.exe 55 PID 1996 wrote to memory of 768 1996 DllCommonsvc.exe 55 PID 1996 wrote to memory of 768 1996 DllCommonsvc.exe 55 PID 1996 wrote to memory of 376 1996 DllCommonsvc.exe 60 PID 1996 wrote to memory of 376 1996 DllCommonsvc.exe 60 PID 1996 wrote to memory of 376 1996 DllCommonsvc.exe 60 PID 376 wrote to memory of 2152 376 cmd.exe 64 PID 376 wrote to memory of 2152 376 cmd.exe 64 PID 376 wrote to memory of 2152 376 cmd.exe 64 PID 376 wrote to memory of 2968 376 cmd.exe 66 PID 376 wrote to memory of 2968 376 cmd.exe 66 PID 376 wrote to memory of 2968 376 cmd.exe 66 PID 2968 wrote to memory of 3044 2968 spoolsv.exe 67 PID 2968 wrote to memory of 3044 2968 spoolsv.exe 67 PID 2968 wrote to memory of 3044 2968 spoolsv.exe 67 PID 3044 wrote to memory of 2796 3044 cmd.exe 69 PID 3044 wrote to memory of 2796 3044 cmd.exe 69 PID 3044 wrote to memory of 2796 3044 cmd.exe 69 PID 3044 wrote to memory of 2908 3044 cmd.exe 70 PID 3044 wrote to memory of 2908 3044 cmd.exe 70 PID 3044 wrote to memory of 2908 3044 cmd.exe 70 PID 2908 wrote to memory of 1592 2908 spoolsv.exe 71 PID 2908 wrote to memory of 1592 2908 spoolsv.exe 71 PID 2908 wrote to memory of 1592 2908 spoolsv.exe 71 PID 1592 wrote to memory of 2172 1592 cmd.exe 73 PID 1592 wrote to memory of 2172 1592 cmd.exe 73 PID 1592 wrote to memory of 2172 1592 cmd.exe 73 PID 1592 wrote to memory of 2092 1592 cmd.exe 74 PID 1592 wrote to memory of 2092 1592 cmd.exe 74 PID 1592 wrote to memory of 2092 1592 cmd.exe 74 PID 2092 wrote to memory of 1640 2092 spoolsv.exe 75 PID 2092 wrote to memory of 1640 2092 spoolsv.exe 75 PID 2092 wrote to memory of 1640 2092 spoolsv.exe 75 PID 1640 wrote to memory of 2180 1640 cmd.exe 77 PID 1640 wrote to memory of 2180 1640 cmd.exe 77 PID 1640 wrote to memory of 2180 1640 cmd.exe 77 PID 1640 wrote to memory of 2744 1640 cmd.exe 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gl9PPr7sC8.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2152
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2796
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2172
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2180
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"13⤵PID:2512
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1968
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"15⤵PID:2532
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1080
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"17⤵PID:2432
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2740
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"19⤵PID:1608
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2368
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"21⤵PID:2568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2108
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"23⤵PID:3036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1252
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8iYvsD9nO.bat"25⤵PID:2416
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f3deae1175568e3baf48d67938e85269
SHA1a6ea2ffd6e3fc341f806ef1e1741f46741c4aadb
SHA25616e8996b4d39d1300d0c8c83733fb495d1902c76cbc2e28d660ed9a1fe8a94a8
SHA512941c40e3e8ed0d00bb04772ff8fed567fca93f3c3dad033006146ceced1567a1513adbc073951f1fe784c807c7b5b6c822c6321393fdcb30e2be5d659a5e4d02
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58ef201dcebe1b535ff1f3d19293f252e
SHA1c7f3b53864277d5dc02db72d3aff7e85603483e1
SHA256e43ab28637ca7aa40a0ebb00f3815b6821afe4da9a936a1a56b47304e9c3ce5b
SHA51258f8de4ba0bb51cbce390be5c603b1c1a49b13e7c81498384a352bb05ed15c4006958a3c5e7b847811b76dcbc5b14902cd3f9966185a77905f8534b0ea154f75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD540109ed99b9c53a64cf95260706965e0
SHA1ff9831b4ab24754210004ecf3c857820478a97fc
SHA2569bdb180aa28d7ae8c579cd284fb0d572f56f0ecbba118282bc906caf16bc1130
SHA512e0e2023e588f170ff2e0578800043f505f69835e226204634e7fa0014a44cf206ae946ea16df53636ece65d6ef074e2da0a8562dab799dcec1e6332f4623bb26
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57ae383526557a434ae7b77f82262db7c
SHA1a8a759f4df4da7d557979de5facc4197ce7a33d8
SHA25649e592dbb43555009dd20170e0b530ad414b15e4c1318b11faf0abde37f9bb3c
SHA5127dd656ff67469f6a43b23f423b37f7fc1f87e66d657f04fa56e43135973070ea549b6c05df739aa6225f15cde77d499b53d690faefb6cfbf2516347431a54433
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e2c85bb23e6a53c6fc9d1025869573c0
SHA1cc54a339f93aa1d162ddcb800c84842025847039
SHA2568ff7c8a8088d516bbf6f1f2ebfeb1cf683c380235429da25a658680c88fa33d2
SHA5129a7e77f153ca9ce2fbc40eb97fb2f0a89ff3df1c8ce2a53f59e6205dd807d6d6efe60ecf05b202fc665bb93c625b19e074109efc1cd15aa879f82a122103dce2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ff79549a442ab918f3613565d340bfe
SHA103f1bb61a30eb1d6e5fa8bcbd2eb48922e9e3434
SHA2563b5d12553bdab961d3c33ce522075924ac6f383c545e460503e674b7f4bb7689
SHA512c01fde1e93a41c2f978952e0d8efb4be54021cd9f1fdde999f9d2dcac5c947de9395d9c9a9af8f8e4fad63c10a8b1a24a3bf3349a4442d2a1b844bff91433188
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e3052d1972e7b324227c20df33e3302f
SHA12bdbdf92ae083ddc45c457f4d3bdd04f431cb064
SHA25694d5ebe0df2c9f4576c3b2c6a467f2e16a0d6ff05fc304b21e661cd4b0b596d1
SHA512d6bad4eb130dfeaed1bd7bcc9b033c2a847e2ed0eee6807b8892e756ee95797bd6fd96f7dad091b2993876e40762b8a22ec1d8dff5062ae543fd4518f1b56efa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5021351b34642ad58b94cdbd523d72653
SHA1a60c643df676cafc8c65a839e2b6f6da93af3c07
SHA2565b3c71c9887abc9e13abefac34a6ff1ba0e24882758262ed618da0377d6a5ba7
SHA51256843df3435a3460757fc33b38898370d241448589b8929ffd8e788c90d0967c7372437efccdf96d8505aadca182c68480dc79e59e64b999c80c1cb459134482
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a7db894f4ad152eee98326649b061d7d
SHA15cbe18df6983d38f6d1d1eddaf2a8bd91ffe3555
SHA2563251adfcb12cf418b229bdead3c07f163398790b78cdec06d006917ae3a4ee7f
SHA512b5d412fadb88bf0fe55c7932895c9945f0bd202a815acd73c4519025d62a5df1fe937f24cc8d5fe1baf96da39082af42336137cc6900fca524c5d40c8b05ca06
-
Filesize
225B
MD5998f4d1cb960c5a6edf3f73107ef7939
SHA19517b059d1c355d33635f2373392115f84cc96dd
SHA2565f95bd5792a9c25ee027135876731efd57b5f6b370b38c4dddfed26da07f5296
SHA5122759b183985cf148b46e396d204466499c9eecccdd13041efb9d89e29b3519730f33ca00d8ad33cdc9ec30612852c6d5fb4c03ed186be381556a50d370a2e6c2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD54ca8f99c8a6ad161dc2af000744a52c5
SHA1e62ece35dde3ced763d3f4500590e1c89b6aeeca
SHA2567d8a788616df8f0be206311cfbd09d1cf8bd4d10662624426222901553238515
SHA51225db9ae0cac0a172aea3011c5bd8b744fb0924c2bec9e19da9254fcab4976ac0cf03c98190ad5d9a4c8d676fa98a7d845f7c5af2186bfac7493d5244432d2c56
-
Filesize
225B
MD59ecb27a1bc0a55e9ebb743dd56ac3a89
SHA1073dc81ada5e72c587c9728753f5aec55b19380b
SHA256b81d8dff97c229c8bde04766728f046f44f84a839b2c6120dfb7cd4bec73b718
SHA512c073f4fdc44d2931f9ce7e48ba1a950ba06b8767e9b82dc67981db552de0d0d03db8c4e24617924e7a078798fab2436b6ce13d11652323144288bc8203e67630
-
Filesize
225B
MD5dd2281b890f80806a72f4c2c73316bd1
SHA1d42bd0aeb19c666b700c999a2052b5d81b00ac66
SHA25651714aa5149213cb41b6afa5eb4730b6fdcbf83dc4fda14986abbda52122fb03
SHA5126dce2cc768789c01afd0f818fa02dec52d181681539e1d2f55077619620e6d6d644bb4ede1b069a2d9544242d55eb32a9c0b64c4670a8f6ba65be6ed0e17cf5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD55f60972e77115dbd0497d1fc0a6e3da1
SHA12144230492de273cb62d5757e47c91192006541f
SHA2568cb8d10442e310d83604c839978116a232f8b5603c5a5aaa14dbb86333f0016a
SHA5126934f24f4711ff5cd001785d4f770da62ec8793f3e3e3e84fa6de312d07e22de8f146b18db2331c82606b1f53baa362a31cd1cc22de5987a2d8a6e7f6daba5ce
-
Filesize
225B
MD5223ebdd6bfc555d36b3e51cf9adb9630
SHA15b3894f3bf9092e380dd029875bde9afe5f8ecc7
SHA25618480fc719d058f540a11aee5c1ab83ce342cd5b261cba65502d86fd305ae375
SHA5125ca020349c1101e481fe5ce3e0f7340f4f582aaa2a661a687398c5895619e94c02a8bb0683c59d69db33f9995c016e7729e45deaa2dff27762bfe55899d1bd68
-
Filesize
225B
MD5884525d728f0f555099fdeb74ec4b7b4
SHA1e076d05c4b106e287f60a4f4124281b5632d601c
SHA2566f6a5bd5dd84df9bf98c95c70582ddd1d1ea010f281e5d658af05764ad76f558
SHA512dd687e788844f106a57d88f32065a4abf3630601ec2ec53c75e72786bb3208ee7ea69416c658a682a0c596ca5c2096614fc278bc65f3aed4834b2318edfe3f86
-
Filesize
225B
MD5a4bc4fb6a5e0622cb19e68cb699c4cd1
SHA18404131726be3d7a0c5d75bb57349b3513fe6de1
SHA256177690984f555e28a29f9bfcaffdfb60193ce215091ad6bcfcaaf756105d79d4
SHA5128d3a4220ff91e176762e61fee1dbe55f02cc7f3a215941639729a7cebeb19c85a4e63ee19a9620bfc6f1fa0b7f0cac6583fc4c22c5de41d5937f9b9b6ca0ad78
-
Filesize
225B
MD5acd196cc21b0128fd5ff3cabc658dc21
SHA1e4ef04fa773cb88ff70ea304e10b05e2f02f40f7
SHA2565d911df9c4780667bd90216daaf1e4697bfe516d64b886361c5e086f84f2ed55
SHA512d6d9d8b9b631111ad46fd9b5eacb0cd8ec717cb97ac286a949284c6855e1b357f34098207af59606faee167dcee5a36d3e8637a8275b9a46f30473e11881043d
-
Filesize
225B
MD5aced993ff4739069b4a93b77e2e26923
SHA14d28d9c8663b2e6c70855ff1779cc4784cf8c958
SHA2566ce114089960a9e4935a63faef20987cd558bb8c0d9b7e7306c20b0094fcada9
SHA5120a4e08247d6682698ad399abbf5a2b1b6c315ebf4f9e6804e0e8643720cbcf0757105a1b098fa8156571385db883172ea05a0a3dc43bd40bda8f3bfc05f89cd7
-
Filesize
225B
MD58f7871418ebb43c3913eeaf05f6f91bc
SHA1384477977c1e0b0785b5f3ec00c5a001ad208a94
SHA256cd39e11a78eab1a32d56f4a19f7ae0a57b95ee8657440b437f52117ae09befa8
SHA5122ef4c83bbcd8dbfae6dc01d5af0c68f097bb85c63d2837a6232209e69b59552581ebbc80bf7c8e2a5a894774fa6025dcb0c14165af71e79ea2bfa78dee3ec747
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57e0f01b4fd787391ab6ebe82d14ec64d
SHA160288cd513e17d093bbe1b52c16c0b96c07c3b68
SHA2567e5219bcaae68eaeaf8c195b92e9fd7e34a03bf6eeb322d647f4e4888adfe69f
SHA51234c68eed00ec55a279b44856829a524f0490d17ad8761f14606c4de6a8db826c525eda6cc5ddf00fcd1afabed6878f485e05ff85f871fc9c549e8b297bdd5d72
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394