Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 01:41
Behavioral task
behavioral1
Sample
JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe
-
Size
1.3MB
-
MD5
8af4a760f458c1d594d86702e6925e9b
-
SHA1
aa81fe6ae366e98e419c13dde9e957df33ade6e1
-
SHA256
81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5
-
SHA512
8dcd547dd3eb78dd9ad22b1feffaf3ad4a45ff08be642f0fcff729cce4e9c93e2212c59eeff3f9cc93f391e26639b765ef77a431b385ec70e901f5bfea9c84bb
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2832 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000700000001939c-9.dat dcrat behavioral1/memory/2060-13-0x00000000000B0000-0x00000000001C0000-memory.dmp dcrat behavioral1/memory/2720-51-0x0000000000DF0000-0x0000000000F00000-memory.dmp dcrat behavioral1/memory/1544-117-0x00000000003C0000-0x00000000004D0000-memory.dmp dcrat behavioral1/memory/2244-178-0x0000000000D80000-0x0000000000E90000-memory.dmp dcrat behavioral1/memory/1316-238-0x0000000000E00000-0x0000000000F10000-memory.dmp dcrat behavioral1/memory/1268-298-0x0000000000F30000-0x0000000001040000-memory.dmp dcrat behavioral1/memory/1772-477-0x0000000000070000-0x0000000000180000-memory.dmp dcrat behavioral1/memory/2760-537-0x00000000001D0000-0x00000000002E0000-memory.dmp dcrat behavioral1/memory/1632-598-0x0000000000930000-0x0000000000A40000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2108 powershell.exe 2940 powershell.exe 316 powershell.exe 1492 powershell.exe 2928 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2060 DllCommonsvc.exe 2720 explorer.exe 1544 explorer.exe 2244 explorer.exe 1316 explorer.exe 1268 explorer.exe 1664 explorer.exe 1924 explorer.exe 1772 explorer.exe 2760 explorer.exe 1632 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 1824 cmd.exe 1824 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 26 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 37 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\b75386f1303e64 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2860 schtasks.exe 2640 schtasks.exe 2704 schtasks.exe 2172 schtasks.exe 1684 schtasks.exe 2824 schtasks.exe 2792 schtasks.exe 2652 schtasks.exe 664 schtasks.exe 2912 schtasks.exe 2804 schtasks.exe 888 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2060 DllCommonsvc.exe 316 powershell.exe 2940 powershell.exe 1492 powershell.exe 2928 powershell.exe 2108 powershell.exe 2720 explorer.exe 1544 explorer.exe 2244 explorer.exe 1316 explorer.exe 1268 explorer.exe 1664 explorer.exe 1924 explorer.exe 1772 explorer.exe 2760 explorer.exe 1632 explorer.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2060 DllCommonsvc.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 2720 explorer.exe Token: SeDebugPrivilege 1544 explorer.exe Token: SeDebugPrivilege 2244 explorer.exe Token: SeDebugPrivilege 1316 explorer.exe Token: SeDebugPrivilege 1268 explorer.exe Token: SeDebugPrivilege 1664 explorer.exe Token: SeDebugPrivilege 1924 explorer.exe Token: SeDebugPrivilege 1772 explorer.exe Token: SeDebugPrivilege 2760 explorer.exe Token: SeDebugPrivilege 1632 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1528 wrote to memory of 2544 1528 JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe 30 PID 1528 wrote to memory of 2544 1528 JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe 30 PID 1528 wrote to memory of 2544 1528 JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe 30 PID 1528 wrote to memory of 2544 1528 JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe 30 PID 2544 wrote to memory of 1824 2544 WScript.exe 31 PID 2544 wrote to memory of 1824 2544 WScript.exe 31 PID 2544 wrote to memory of 1824 2544 WScript.exe 31 PID 2544 wrote to memory of 1824 2544 WScript.exe 31 PID 1824 wrote to memory of 2060 1824 cmd.exe 33 PID 1824 wrote to memory of 2060 1824 cmd.exe 33 PID 1824 wrote to memory of 2060 1824 cmd.exe 33 PID 1824 wrote to memory of 2060 1824 cmd.exe 33 PID 2060 wrote to memory of 2108 2060 DllCommonsvc.exe 47 PID 2060 wrote to memory of 2108 2060 DllCommonsvc.exe 47 PID 2060 wrote to memory of 2108 2060 DllCommonsvc.exe 47 PID 2060 wrote to memory of 2928 2060 DllCommonsvc.exe 48 PID 2060 wrote to memory of 2928 2060 DllCommonsvc.exe 48 PID 2060 wrote to memory of 2928 2060 DllCommonsvc.exe 48 PID 2060 wrote to memory of 2940 2060 DllCommonsvc.exe 49 PID 2060 wrote to memory of 2940 2060 DllCommonsvc.exe 49 PID 2060 wrote to memory of 2940 2060 DllCommonsvc.exe 49 PID 2060 wrote to memory of 1492 2060 DllCommonsvc.exe 51 PID 2060 wrote to memory of 1492 2060 DllCommonsvc.exe 51 PID 2060 wrote to memory of 1492 2060 DllCommonsvc.exe 51 PID 2060 wrote to memory of 316 2060 DllCommonsvc.exe 52 PID 2060 wrote to memory of 316 2060 DllCommonsvc.exe 52 PID 2060 wrote to memory of 316 2060 DllCommonsvc.exe 52 PID 2060 wrote to memory of 2720 2060 DllCommonsvc.exe 57 PID 2060 wrote to memory of 2720 2060 DllCommonsvc.exe 57 PID 2060 wrote to memory of 2720 2060 DllCommonsvc.exe 57 PID 2720 wrote to memory of 2404 2720 explorer.exe 59 PID 2720 wrote to memory of 2404 2720 explorer.exe 59 PID 2720 wrote to memory of 2404 2720 explorer.exe 59 PID 2404 wrote to memory of 2588 2404 cmd.exe 61 PID 2404 wrote to memory of 2588 2404 cmd.exe 61 PID 2404 wrote to memory of 2588 2404 cmd.exe 61 PID 2404 wrote to memory of 1544 2404 cmd.exe 62 PID 2404 wrote to memory of 1544 2404 cmd.exe 62 PID 2404 wrote to memory of 1544 2404 cmd.exe 62 PID 1544 wrote to memory of 2932 1544 explorer.exe 63 PID 1544 wrote to memory of 2932 1544 explorer.exe 63 PID 1544 wrote to memory of 2932 1544 explorer.exe 63 PID 2932 wrote to memory of 1964 2932 cmd.exe 65 PID 2932 wrote to memory of 1964 2932 cmd.exe 65 PID 2932 wrote to memory of 1964 2932 cmd.exe 65 PID 2932 wrote to memory of 2244 2932 cmd.exe 66 PID 2932 wrote to memory of 2244 2932 cmd.exe 66 PID 2932 wrote to memory of 2244 2932 cmd.exe 66 PID 2244 wrote to memory of 1424 2244 explorer.exe 67 PID 2244 wrote to memory of 1424 2244 explorer.exe 67 PID 2244 wrote to memory of 1424 2244 explorer.exe 67 PID 1424 wrote to memory of 2076 1424 cmd.exe 69 PID 1424 wrote to memory of 2076 1424 cmd.exe 69 PID 1424 wrote to memory of 2076 1424 cmd.exe 69 PID 1424 wrote to memory of 1316 1424 cmd.exe 70 PID 1424 wrote to memory of 1316 1424 cmd.exe 70 PID 1424 wrote to memory of 1316 1424 cmd.exe 70 PID 1316 wrote to memory of 2204 1316 explorer.exe 71 PID 1316 wrote to memory of 2204 1316 explorer.exe 71 PID 1316 wrote to memory of 2204 1316 explorer.exe 71 PID 2204 wrote to memory of 2228 2204 cmd.exe 73 PID 2204 wrote to memory of 2228 2204 cmd.exe 73 PID 2204 wrote to memory of 2228 2204 cmd.exe 73 PID 2204 wrote to memory of 1268 2204 cmd.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2588
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1964
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2076
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2228
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"14⤵PID:1588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1272
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"16⤵PID:2208
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1492
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"18⤵PID:2496
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:272
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"20⤵PID:2772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2732
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"22⤵PID:2680
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2804
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"24⤵PID:1764
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD578286e0c8a4b01e9e48bb9eb3ffd30d5
SHA118590d510010854f1324df1a9a31c516a8db7d42
SHA256aa4ac32df6dc6881bd1ec2647b29d242e69cec572901f8e0e49952c64a6a2b3b
SHA512657eca1973cb255ab87863c2d09361d94df640f7bece1a91f3a7889968e5061bf85e530fc7529f645a5ebddaa819d4b6d94ffc6152547337fbd3f6824a842a4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c7f26c57ed899be46bfcc07b6d020180
SHA13559e143bda44d894a1cefc16cead9bdf63db702
SHA25697b565b7e4941e27dccd4065df5583791f2e2349f79d4aa71f77b5fb6a1e474d
SHA512a8d812c71b98f7c77c063d692f316dd3ad5eea722ea78f488838e9092720eb91cf46ec3187cbbe5bffd5e1004005264eb498ce0e1651907e684b77cef239ae6d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f586a5c8714df71b0c89c944466a38a
SHA1cc7d1828fd9eca8fb96bfd14c015557d4077057f
SHA2567f34d703bbdbc795760d6bcb51525a966905713691acf5cc8fbae300170af80c
SHA512e16f3e1af547d938569bdd2bfc41ed30828ed5a79f0f20540240e4adcb3e061359a44e1d6476d5021510dd47c436e003cfefb92a12a941530fd160454e98dbb0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59348318beb3c1fad9ac95ee81ab6654a
SHA1ec13ac95925f716d036edac05f69b96e2807ded5
SHA256583ac9e55a9e5c94ba33e4720295297ae5bfe39daa7d595976f188e341cec9e1
SHA5129971f51dcec0c4d4abad859f96d7a6a1fd68e7d513ff1fe139cbf221cfa4136d2763c5f84e72fed24dc0dc710b2069f78832bf2eab5a93d7ea286457cc342b45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50530c3fab368340fa4535e0db9d0b43b
SHA1662a8840dce83f9fc64e11f0adaa533c35bceb39
SHA256fa72dffbea4eb51dff0fae7e704eeeda5c82ce2496773b83212388973b8c7c4e
SHA51290e901adea4cc7af425b3f38d6214450ed653e1cdbf3d7b22c116f3e4ed399c8c8e4a781214168e780e329075da1e8f11fd382ea409ef9b4530acd597d2b1744
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5203d007f5aa5573c209518832d71d251
SHA1f5de79977adb8897dc8af5bb9d79153af16ff71d
SHA256dfafbe63690f72f092f7c7753f48cc936db6ddb37fd952d27e9a13c1c7ae12e2
SHA51283afe4df19ef7f4d490e668e26373e502c64e22954b666596baf4acf6bcfe5e3ea847be77f0b5604e45498c177ca7f0ea5f72bdbf065193d6f66d1b1d8c4f6ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5be6486c2254f5fa5bb0d35e66b8280db
SHA1a0b081dc850b0a6912b2d9459efee46398d7198f
SHA256ee57220a44d337e255c8d4c2b4933af2332a9149a5852a4db1998782ef341690
SHA5129c2449da3062ba524cbf49927db7752ca4030f43a9e04b30ff7ab4973356b880bb29174cff1f3cbd722c38ea199f677f9266c7706f9f924b33829e0af1bdf0ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD502453c22c7f943b949b90a7103e81a02
SHA119d566d51481eff58590a844212278d8620e936b
SHA256b1e33164dd67eeb251b0047677f7a3ef4cc17b0dd604d261d54b6dc8df7cf687
SHA512bac0c05cabfbec2cdc0956cd439c758603aa81f7138c3055285ea4a4d182493471a05e95544e6423020d6dcad438c65983b196bc4478a64855c2f0db43f22062
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52a48aef2202dfc439ac05dfe94aa24f9
SHA1839208aef4132ea029e45a2b04f446dbf8c3709f
SHA25691e21bb3d96dcb2efeba9e49826c5cf00e1053945cec9f11484294b30a8036f2
SHA512c5645df64d9746a3797257a81d231ef2c251ef198800270dca27beb2c1714e4ff4fab86a9ea94da39adf0c9e144cde31ab28c38a3fe419349fa852e408fc427f
-
Filesize
240B
MD58de5a3d808411c354347d6594a8058b4
SHA1f33ef86b329ba00d95e3afeb8ecff4e2e035d3a8
SHA25652978cebde5e9cb75db9290379399e86d0d947f5cc514e368ac3a5f96f2d47c6
SHA512a90814a837999326f568bd8494ef2461b2854e6507c5f7c350d1678c0cb3f893e0b60e58ddc58d2c5a9ec9d8824f1d3c23f8d00adb1463e2975e0a1335f39ea4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
240B
MD51fc1435fff5321f84f7266de8a075eb1
SHA124321999642c2d5177ad145a5f19754b2a46de8f
SHA256fd1d2c0c89a1a4fb9c69935e6b793e905f5966b7924d3138dca64102baf4315e
SHA512d054be38646a0882cf283b3f3fa65af09c116b4d18771198773d23c759fb1c06d371674976f5e1bc5dfe585d9a3a1de5cafe0bb0356552d685390091940b38e1
-
Filesize
240B
MD57fdf02d6aeed442ecf69e222dec747f7
SHA1f97b153bc48cb063eeb351d099cf7cea4e5c5a30
SHA2569bac172d3abb4ad3be11007f7f024153c8008674737db3a5981232590e2f8f71
SHA512f34279bedf26dcd93a0fbe9577be5387ba11a7556f9dcb1cc12925ac35a28e048e839b6176b9e1cb8c95a47c8a47b0965427c3900ca5cd023c9a16b54c60a756
-
Filesize
240B
MD56fcca29d206a4434128f03d31e0e9cf8
SHA10d71d5fe9f17be0ecc02de473fad2c9678114474
SHA256c3940a7a26c67b6fb4a9d8872f8889a5d5c21d85e41be578b391fb6a0ec99088
SHA5122f5a528450700f2ac17b55e2f83dcca7b10e0d73fbf8b12185688bfccb4908144fcdac6f8a0b8f0606778ae8c6e181005652e1a6a0476bc020ebbfd47cc49043
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
240B
MD5b0d2865ed890c452071e1a3a53b8c5af
SHA1fc34a551bc0002557c71b5f6272490ef692f35ad
SHA256a260c2cf886e64c9378c416bee276d03c0492fa3d76fe0f3dc1f9f8175be4b9e
SHA512d73c672274983b6876c2c97b81ffc9f0dc69367811ef40f873339d91281d567cc9c26a82d579adc8c1edf74eceedc42651826a644b82c8d608e32ac170894864
-
Filesize
240B
MD57a3fc26456409eed88b6c8b543723806
SHA19ff030343345a0f3f38c03cbccf72a004db9bca4
SHA2567a20c0187ba4ea95cadda49ceb07b2142b849be8fc9ef565c786d9022c953ffa
SHA5125629fb9e07fb35fedac7a9d9404dca24e37e827f55cd4e6e5ff89f5ac16112dfa4e3ae2475e960b7169f1bb0484a58764cc2894ef72f8a6ac4759064e35f840c
-
Filesize
240B
MD5b1a3654189d57024580a32020ed2ab0a
SHA142e2041670fa251c387f58972f058f0fa39e3559
SHA25674aa38cd06ee13507643d511d5fb3079197b148f61f28cd5a160503f474be370
SHA512393ec2269914826b04debc422c0663efcd1c8228f51d4318afd1193ee0b6d9494e67b1af04e57169d87e9baf7395bfbc851b1c6587fea03fc1623d06a8e72f50
-
Filesize
240B
MD55cda677f2fd62064b2059dad88946bdf
SHA1d751e83a28def0fde7f8f7b5a2d1ba9339d439ac
SHA2563a49f4dc2c5b061a87e05c05a6b2f89e52115e82c720983d4d879db46ed2b051
SHA5121b352fea0efad045d05bd106858c12d660c4ec37cc46a8d5d23340c92d13c28153abe500c16e9dbe69bef565d52fd75324054c2a7dc700091d68fe66483c2ed4
-
Filesize
240B
MD59ecec34ca06e648442fe31a0fa10ce0e
SHA15edefe6613d84df11722d2cc76dc3a5a9fd2b85a
SHA256d70daf05213b97240a1ed73b31d1afa152ebc6bca8ece7f378313a31f3a73623
SHA5121ae7653339caef9a6d82657bfd47a2472b5f4ab0267def89050201309fd66c6e0936e8dfcb6f7285a473a8fe07a74e5ac31048eb698c3c585067ad8ac89d4e67
-
Filesize
240B
MD5472c0ea65b807df0e9b37f640bd158d3
SHA187c106a434f5a4520b02f34d1197a38e9cf74818
SHA256fa08da76a872c2a39748922206ee6f0a934fe1e3dc0fb3770b492e693e6e5b19
SHA512c69de0e04e0bf42bc2191a02b39499e679c75830948f78d9199197a1d7279695874ab2bbe43b016f7659f0832fae2b2d1935c1c23246bd0c7da89e0d723c4ac3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5126e6c0b32b109c5254d0902e7d1c033
SHA1efa4c566411b6acb6d30db893461c9ae20d8716e
SHA2569b00538185356417b70af05e29ef7f267308d03b3b6a66c7116fdfa0b7433809
SHA512cf16f1db2560dbb013c68ffeaea101d58cdfa2dc2661189982b76f945c68a1061b170328354000d69b31eb1aa5d88e2e00f3d3b79be95ce4fca65d4d6b8f8299
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394