Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:21
Behavioral task
behavioral1
Sample
JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe
-
Size
1.3MB
-
MD5
3b2f49271a249736b26e909d0709b0b7
-
SHA1
09be02d46117068a2ec875a97a05664fcb73f408
-
SHA256
906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0
-
SHA512
5944e1fb52b02a5ddaf84de47a3bf30c4178270ce0a61914b29020876ecfab6ec28411dfa15e0bff85ef227061c5f690a3c6635072aed28cda9dd69a041e0a5c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2512 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016d69-9.dat dcrat behavioral1/memory/2532-13-0x0000000000300000-0x0000000000410000-memory.dmp dcrat behavioral1/memory/272-42-0x0000000001300000-0x0000000001410000-memory.dmp dcrat behavioral1/memory/2508-150-0x0000000000070000-0x0000000000180000-memory.dmp dcrat behavioral1/memory/1152-211-0x0000000000D80000-0x0000000000E90000-memory.dmp dcrat behavioral1/memory/2820-272-0x0000000000100000-0x0000000000210000-memory.dmp dcrat behavioral1/memory/2600-332-0x0000000000F40000-0x0000000001050000-memory.dmp dcrat behavioral1/memory/1992-451-0x00000000012C0000-0x00000000013D0000-memory.dmp dcrat behavioral1/memory/976-511-0x00000000001D0000-0x00000000002E0000-memory.dmp dcrat behavioral1/memory/3060-572-0x0000000000C00000-0x0000000000D10000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1352 powershell.exe 1512 powershell.exe 1552 powershell.exe 432 powershell.exe 776 powershell.exe 1816 powershell.exe 3032 powershell.exe 1160 powershell.exe 960 powershell.exe 1284 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2532 DllCommonsvc.exe 272 cmd.exe 2508 cmd.exe 1152 cmd.exe 2820 cmd.exe 2600 cmd.exe 2884 cmd.exe 1992 cmd.exe 976 cmd.exe 3060 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2864 cmd.exe 2864 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 4 raw.githubusercontent.com 9 raw.githubusercontent.com 23 raw.githubusercontent.com 29 raw.githubusercontent.com 5 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Mail\wininit.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Mail\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Idle.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\6ccacd8608530f DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\security\logs\csrss.exe DllCommonsvc.exe File created C:\Windows\security\logs\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\ShellNew\services.exe DllCommonsvc.exe File created C:\Windows\ShellNew\c5b4cb5e9653cc DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2416 schtasks.exe 1200 schtasks.exe 3028 schtasks.exe 2716 schtasks.exe 3024 schtasks.exe 1772 schtasks.exe 2000 schtasks.exe 2780 schtasks.exe 2044 schtasks.exe 2800 schtasks.exe 2032 schtasks.exe 2268 schtasks.exe 2484 schtasks.exe 1652 schtasks.exe 692 schtasks.exe 2960 schtasks.exe 2364 schtasks.exe 1612 schtasks.exe 2024 schtasks.exe 2008 schtasks.exe 2776 schtasks.exe 2948 schtasks.exe 2696 schtasks.exe 2028 schtasks.exe 2764 schtasks.exe 2868 schtasks.exe 1700 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2532 DllCommonsvc.exe 1160 powershell.exe 432 powershell.exe 776 powershell.exe 1512 powershell.exe 1284 powershell.exe 960 powershell.exe 1352 powershell.exe 1816 powershell.exe 3032 powershell.exe 1552 powershell.exe 272 cmd.exe 2508 cmd.exe 1152 cmd.exe 2820 cmd.exe 2600 cmd.exe 2884 cmd.exe 1992 cmd.exe 976 cmd.exe 3060 cmd.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2532 DllCommonsvc.exe Token: SeDebugPrivilege 1160 powershell.exe Token: SeDebugPrivilege 432 powershell.exe Token: SeDebugPrivilege 776 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeDebugPrivilege 272 cmd.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 2508 cmd.exe Token: SeDebugPrivilege 1152 cmd.exe Token: SeDebugPrivilege 2820 cmd.exe Token: SeDebugPrivilege 2600 cmd.exe Token: SeDebugPrivilege 2884 cmd.exe Token: SeDebugPrivilege 1992 cmd.exe Token: SeDebugPrivilege 976 cmd.exe Token: SeDebugPrivilege 3060 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2076 2060 JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe 30 PID 2060 wrote to memory of 2076 2060 JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe 30 PID 2060 wrote to memory of 2076 2060 JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe 30 PID 2060 wrote to memory of 2076 2060 JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe 30 PID 2076 wrote to memory of 2864 2076 WScript.exe 32 PID 2076 wrote to memory of 2864 2076 WScript.exe 32 PID 2076 wrote to memory of 2864 2076 WScript.exe 32 PID 2076 wrote to memory of 2864 2076 WScript.exe 32 PID 2864 wrote to memory of 2532 2864 cmd.exe 34 PID 2864 wrote to memory of 2532 2864 cmd.exe 34 PID 2864 wrote to memory of 2532 2864 cmd.exe 34 PID 2864 wrote to memory of 2532 2864 cmd.exe 34 PID 2532 wrote to memory of 432 2532 DllCommonsvc.exe 63 PID 2532 wrote to memory of 432 2532 DllCommonsvc.exe 63 PID 2532 wrote to memory of 432 2532 DllCommonsvc.exe 63 PID 2532 wrote to memory of 776 2532 DllCommonsvc.exe 64 PID 2532 wrote to memory of 776 2532 DllCommonsvc.exe 64 PID 2532 wrote to memory of 776 2532 DllCommonsvc.exe 64 PID 2532 wrote to memory of 1816 2532 DllCommonsvc.exe 65 PID 2532 wrote to memory of 1816 2532 DllCommonsvc.exe 65 PID 2532 wrote to memory of 1816 2532 DllCommonsvc.exe 65 PID 2532 wrote to memory of 3032 2532 DllCommonsvc.exe 66 PID 2532 wrote to memory of 3032 2532 DllCommonsvc.exe 66 PID 2532 wrote to memory of 3032 2532 DllCommonsvc.exe 66 PID 2532 wrote to memory of 1352 2532 DllCommonsvc.exe 67 PID 2532 wrote to memory of 1352 2532 DllCommonsvc.exe 67 PID 2532 wrote to memory of 1352 2532 DllCommonsvc.exe 67 PID 2532 wrote to memory of 1160 2532 DllCommonsvc.exe 68 PID 2532 wrote to memory of 1160 2532 DllCommonsvc.exe 68 PID 2532 wrote to memory of 1160 2532 DllCommonsvc.exe 68 PID 2532 wrote to memory of 1512 2532 DllCommonsvc.exe 69 PID 2532 wrote to memory of 1512 2532 DllCommonsvc.exe 69 PID 2532 wrote to memory of 1512 2532 DllCommonsvc.exe 69 PID 2532 wrote to memory of 960 2532 DllCommonsvc.exe 70 PID 2532 wrote to memory of 960 2532 DllCommonsvc.exe 70 PID 2532 wrote to memory of 960 2532 DllCommonsvc.exe 70 PID 2532 wrote to memory of 1552 2532 DllCommonsvc.exe 73 PID 2532 wrote to memory of 1552 2532 DllCommonsvc.exe 73 PID 2532 wrote to memory of 1552 2532 DllCommonsvc.exe 73 PID 2532 wrote to memory of 1284 2532 DllCommonsvc.exe 74 PID 2532 wrote to memory of 1284 2532 DllCommonsvc.exe 74 PID 2532 wrote to memory of 1284 2532 DllCommonsvc.exe 74 PID 2532 wrote to memory of 272 2532 DllCommonsvc.exe 83 PID 2532 wrote to memory of 272 2532 DllCommonsvc.exe 83 PID 2532 wrote to memory of 272 2532 DllCommonsvc.exe 83 PID 272 wrote to memory of 2888 272 cmd.exe 84 PID 272 wrote to memory of 2888 272 cmd.exe 84 PID 272 wrote to memory of 2888 272 cmd.exe 84 PID 2888 wrote to memory of 1192 2888 cmd.exe 86 PID 2888 wrote to memory of 1192 2888 cmd.exe 86 PID 2888 wrote to memory of 1192 2888 cmd.exe 86 PID 2888 wrote to memory of 2508 2888 cmd.exe 87 PID 2888 wrote to memory of 2508 2888 cmd.exe 87 PID 2888 wrote to memory of 2508 2888 cmd.exe 87 PID 2508 wrote to memory of 1324 2508 cmd.exe 88 PID 2508 wrote to memory of 1324 2508 cmd.exe 88 PID 2508 wrote to memory of 1324 2508 cmd.exe 88 PID 1324 wrote to memory of 1728 1324 cmd.exe 90 PID 1324 wrote to memory of 1728 1324 cmd.exe 90 PID 1324 wrote to memory of 1728 1324 cmd.exe 90 PID 1324 wrote to memory of 1152 1324 cmd.exe 91 PID 1324 wrote to memory of 1152 1324 cmd.exe 91 PID 1324 wrote to memory of 1152 1324 cmd.exe 91 PID 1152 wrote to memory of 2456 1152 cmd.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\logs\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1192
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1728
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"10⤵PID:2456
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2160
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"12⤵PID:3016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:296
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat"14⤵PID:2404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:960
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"16⤵PID:580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2036
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"18⤵PID:1692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1540
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"20⤵PID:2360
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1688
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Downloads\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ShellNew\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\security\logs\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\security\logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\security\logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56401afa49d11579f39d96c7d820f6633
SHA1105f1a1da113c5a0b9d0e5b1e362a084fe90c6da
SHA256d50c658dea4cfc7f29148a012eb9739c555e5ff82fdfe6901492adbacc7d35c0
SHA5125c91a16d86880c0f94769a5ee1416466d03add8a24d11ceb9f02ad5dc5eb27a70ac6ebd021cd41a48c742d5a0a691aaf9a26c4838fd378149ba169230010bafc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f67d07a38946dc4c9ccbc682cc3efda8
SHA19a2916874c93f1385f494b85a8a9f3de032283f7
SHA256225c82d2bc8e3b7b397ea4e9abee9ed804094d01282343ca99e01eaca59ad0d7
SHA51277155eafa8d4f1abc025dd47e8544a82b306c8635e97a26bee3c5a8532e6c0a917c46eb339a9f268124a392148068a7b26c89433d1419e8c77c1eb6978e12d27
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD565f5debc58c47e3593eded8a605fca45
SHA13e53295980a7c7820b30680be2f1f274d1e778b4
SHA256cba78815e74f9dbc82952c9dde4eb3ec0d0de4d39c8cd3338d45a31be4bcf43c
SHA5125ab5343751398752206fd67ce6baaad63f913bfafcc62ee55d1f8a95d83f9bbbf75c7d9105b73ca80d6227acd151156b8106706f8c03eb0b539163c48c85ac6a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD597f2bbca1275171090059acc5e414017
SHA1351a0ecbeaafd8d3326f4c74871fffc36130fd21
SHA256414b3644c429b375fef0fa3f738b37e163d244c40dcacaa8102adba904a45cb2
SHA512286339886a296300acb57f492f46008f0d5af99e8815c6f077cd3c5ce4d334f2868fa69c6910f3e11b64467ac7ba093cd055e23c2dfa94bafbb3eb7e0f6c0de6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5533a5a3f71356c475a38efbe4061bc30
SHA1930a69677989075ec7f51e3336cc2a78173e34e1
SHA256a86a9464f8331e7413e8da7f0a5e0ff0108cd57d7a9b5e14570d466bc167b01b
SHA512e390930145fc624c2eb1514973c982de8fb46995aa99e29518fbd6c268b3050159090bbb559fc8d7740dd887248585965fb850c3d8f6e0ff030497f459353a46
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55b5c895b979bbc69f1d12b527b2ff311
SHA116bc3a7b2d71a5ca34fe8af9fd438056e2456324
SHA2565199b650e837e2358fa1722c6e21dd56baacc9de23867e377059cc915273184a
SHA5127612fe3057b96b23c840c33f4db7815e82eaaa8259dae7081d37e933a06811cee71e589bac0316ac7e02b2996a8e1c15ea2bcf157fe9e1dfc04d29857b5b050d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58608be566d0c0d5ee3f93346376c1a48
SHA16cf4bf03e0fae1dcd2a284678269062cfee082ca
SHA2568c5627a7df3fcd2bcec012ec2a83561a03afa146c432ca85b297b71bbf02bdf3
SHA5123e9419fe15f6546d8daf5a70c6549ab10cfb5e6fdda9f312c420ce08ccdf03d776d03e69f55bb5e49e22a4903ef6b4c9d29863a9326ad8bb767010e8d38396b4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
235B
MD58ea46f84f06edff72cf2f6f50138adad
SHA127d19574ff18ae48d9900b9615332636b452551f
SHA2561350baf429bf4fa357102e88764d3edb1fc4fe20be695dd39c58ae45e739f129
SHA51208aad26d3a652a6b7c9f84522d8d61af816568d9f9a8937db2ae5151b2176953b3b2134aa92559b96b46970486a2ce3e006a00a3e99b918edcac462e8ad9e6db
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
235B
MD5191756f5db4041e84b8bc7dce3dd872d
SHA1690a97fad60fc3f3f5c2d7ef1b05ae9a7f2e2d96
SHA25629b0d62e76b49c8bde4e4eafe93de4c30c45aff35b7c89e123cbf0f2078c17fb
SHA512bee5f2a22783c1bdb3a060fe3bc22b0e7f79223e2d8cea574d1531f90e82f451496af5750e49c3bafea06d36f980c1fffc3e2995320f7d7a10d26290e4790eea
-
Filesize
235B
MD512dfb8080daf23ea34438f160391a148
SHA10095b95431cdbb73b77c58394a07af22eb4704de
SHA256117496c5cfa7ccf289de49a06caed589ff5b164a441e16e09c0ee11705e5660a
SHA512cfc00c9cf100b62066ab7dd07d6d00e5523c1800797d2bf8e46e28df2eedb066b4f8cf0ec577230937e130756bff0a5a6bdd901312e481599cf7210b96b25fee
-
Filesize
235B
MD566910d689d72733e37205baae97df3d8
SHA19b6974f726f10db26290585e121a7f8f9eaf1e81
SHA2560693d0e6c93e4a892e7a3f429b0607dd050a74aef1560136e7ac12326827e655
SHA5124e163536c43b8013786cc0c94d702a57f915f97cdd9917c80ff7672c8229a0f0b66e1da0bee2710884ef2023c5b8893e7c7bfb8b41b7117d263710025196303f
-
Filesize
235B
MD51d910e43f424e2fffee8477cf8796e3d
SHA1f0b8fe9a05bdee57c2ddc321617e6ccf75d120e1
SHA256fa6445d4a65f17f14b5a1c44e193ef37f2d6951ea35da6d95cca7d368b432ab4
SHA512959eb3975924a909f11ee9758b39c88bac3919d0aa57b5a54623c3f28e9fdb229080a620d333a0c1918b4f0f5fe5bc8d3fbdcab9022847611e6484f11a64b25a
-
Filesize
235B
MD516e03a783630aa9a52f776717f627194
SHA1609290e7c7eca0912ea197bb20b9dc0c942b76d7
SHA25687bd190cba3483ef0d959349cc5030310f31acf9117114aa8b1019266631b073
SHA5126b73db825dd2b878a25b6693162d87aeb5a8b2f6cb0aea40494944e12bb7687c5a6b464dfcee6b57338b3f161e7ce5995d37417e953761ff6c068cb6e880c418
-
Filesize
235B
MD598d0f6adb9e9d4a67907e3481ca05637
SHA10482ebd797b122e8e793a37512a974cdb0c8598f
SHA2562b891a830d853a18a5e9487c0dc8b065119d58541be7eafcb0c42eb571e03f79
SHA5122275e264f24451525bf39927dc65d4f2fd4f4f50dcaf1eaf52d0453caa6b05f5914a62171e494000bca4476c858de292d82f09206cbbe8ba646659376bdb345b
-
Filesize
235B
MD59ce41a7d422b719f14373de74c5cdb87
SHA1d9f67aee7a080ed89df50979be73510b9b52855b
SHA2564b1e4bfad77118d846636685ab37ed7a0efc7d047a04ea4c5dc7619fa9b0b9b4
SHA512f57f26612d59addab5a4a0764d847104b09cce5169ed0f0ad928e73318a1ed2e895f6093f2df5a80357ce2fbb886a99f4dada6da36dd4699f762b32efa49555d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53e325f7d4202e6629e55c03b6ef0afb3
SHA1bc5dd0801bfd4db56d10f92dd754bfe720d0f19e
SHA256554c55a5583d85931a23aaa631762ecd54afd01e111682032dfb249c1a0d8ed3
SHA512448a3aad5630d6a6dbb1ea28385bcc0ba0d3bd5b7c541b1df3f161a6c22503a0b7c35160fe140061e9fc8e021a6e9b2bff37e0dfe8d173541bf4272bc28191b9
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394