Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:32
Behavioral task
behavioral1
Sample
JaffaCakes118_b98d6de07f0c759d4e4607ee4151628af9f04f25e84d1ee5c7ca8db81dd15a5f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b98d6de07f0c759d4e4607ee4151628af9f04f25e84d1ee5c7ca8db81dd15a5f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b98d6de07f0c759d4e4607ee4151628af9f04f25e84d1ee5c7ca8db81dd15a5f.exe
-
Size
1.3MB
-
MD5
16fa4b52bbda6c2cfc912f8f2672d505
-
SHA1
736f640a7dbe267a2c9c9e33e5827b75c937e036
-
SHA256
b98d6de07f0c759d4e4607ee4151628af9f04f25e84d1ee5c7ca8db81dd15a5f
-
SHA512
ebe294cea23e493b9c03cfe6292af400a9c0d9da1b9c76bf7bc22c15eddfd21568fb5174adfe598028c5700e76c31559f8e7fcee96186f52521f39e9aeb71a7e
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 2888 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016c58-11.dat dcrat behavioral1/memory/2736-13-0x0000000001200000-0x0000000001310000-memory.dmp dcrat behavioral1/memory/2588-47-0x0000000000FD0000-0x00000000010E0000-memory.dmp dcrat behavioral1/memory/2948-190-0x00000000000C0000-0x00000000001D0000-memory.dmp dcrat behavioral1/memory/1404-250-0x00000000010D0000-0x00000000011E0000-memory.dmp dcrat behavioral1/memory/2412-370-0x0000000001270000-0x0000000001380000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2824 powershell.exe 2832 powershell.exe 1628 powershell.exe 1664 powershell.exe 1672 powershell.exe 2792 powershell.exe 2704 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2736 DllCommonsvc.exe 2588 lsm.exe 2128 lsm.exe 2948 lsm.exe 1404 lsm.exe 2416 lsm.exe 2412 lsm.exe 2800 lsm.exe 1520 lsm.exe 1556 lsm.exe 728 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2056 cmd.exe 2056 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 15 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\101b941d020240 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Logs\DISM\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\Logs\DISM\lsass.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b98d6de07f0c759d4e4607ee4151628af9f04f25e84d1ee5c7ca8db81dd15a5f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2932 schtasks.exe 2008 schtasks.exe 1716 schtasks.exe 1616 schtasks.exe 1188 schtasks.exe 1692 schtasks.exe 1668 schtasks.exe 2020 schtasks.exe 1924 schtasks.exe 1116 schtasks.exe 2644 schtasks.exe 2632 schtasks.exe 2500 schtasks.exe 1944 schtasks.exe 2720 schtasks.exe 2624 schtasks.exe 2728 schtasks.exe 2000 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2736 DllCommonsvc.exe 2736 DllCommonsvc.exe 2736 DllCommonsvc.exe 1664 powershell.exe 2704 powershell.exe 2832 powershell.exe 2792 powershell.exe 2824 powershell.exe 1672 powershell.exe 1628 powershell.exe 2588 lsm.exe 2128 lsm.exe 2948 lsm.exe 1404 lsm.exe 2416 lsm.exe 2412 lsm.exe 2800 lsm.exe 1520 lsm.exe 1556 lsm.exe 728 lsm.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2736 DllCommonsvc.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 2588 lsm.exe Token: SeDebugPrivilege 2128 lsm.exe Token: SeDebugPrivilege 2948 lsm.exe Token: SeDebugPrivilege 1404 lsm.exe Token: SeDebugPrivilege 2416 lsm.exe Token: SeDebugPrivilege 2412 lsm.exe Token: SeDebugPrivilege 2800 lsm.exe Token: SeDebugPrivilege 1520 lsm.exe Token: SeDebugPrivilege 1556 lsm.exe Token: SeDebugPrivilege 728 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2552 2332 JaffaCakes118_b98d6de07f0c759d4e4607ee4151628af9f04f25e84d1ee5c7ca8db81dd15a5f.exe 31 PID 2332 wrote to memory of 2552 2332 JaffaCakes118_b98d6de07f0c759d4e4607ee4151628af9f04f25e84d1ee5c7ca8db81dd15a5f.exe 31 PID 2332 wrote to memory of 2552 2332 JaffaCakes118_b98d6de07f0c759d4e4607ee4151628af9f04f25e84d1ee5c7ca8db81dd15a5f.exe 31 PID 2332 wrote to memory of 2552 2332 JaffaCakes118_b98d6de07f0c759d4e4607ee4151628af9f04f25e84d1ee5c7ca8db81dd15a5f.exe 31 PID 2552 wrote to memory of 2056 2552 WScript.exe 32 PID 2552 wrote to memory of 2056 2552 WScript.exe 32 PID 2552 wrote to memory of 2056 2552 WScript.exe 32 PID 2552 wrote to memory of 2056 2552 WScript.exe 32 PID 2056 wrote to memory of 2736 2056 cmd.exe 34 PID 2056 wrote to memory of 2736 2056 cmd.exe 34 PID 2056 wrote to memory of 2736 2056 cmd.exe 34 PID 2056 wrote to memory of 2736 2056 cmd.exe 34 PID 2736 wrote to memory of 1628 2736 DllCommonsvc.exe 54 PID 2736 wrote to memory of 1628 2736 DllCommonsvc.exe 54 PID 2736 wrote to memory of 1628 2736 DllCommonsvc.exe 54 PID 2736 wrote to memory of 1664 2736 DllCommonsvc.exe 55 PID 2736 wrote to memory of 1664 2736 DllCommonsvc.exe 55 PID 2736 wrote to memory of 1664 2736 DllCommonsvc.exe 55 PID 2736 wrote to memory of 1672 2736 DllCommonsvc.exe 56 PID 2736 wrote to memory of 1672 2736 DllCommonsvc.exe 56 PID 2736 wrote to memory of 1672 2736 DllCommonsvc.exe 56 PID 2736 wrote to memory of 2832 2736 DllCommonsvc.exe 57 PID 2736 wrote to memory of 2832 2736 DllCommonsvc.exe 57 PID 2736 wrote to memory of 2832 2736 DllCommonsvc.exe 57 PID 2736 wrote to memory of 2824 2736 DllCommonsvc.exe 58 PID 2736 wrote to memory of 2824 2736 DllCommonsvc.exe 58 PID 2736 wrote to memory of 2824 2736 DllCommonsvc.exe 58 PID 2736 wrote to memory of 2792 2736 DllCommonsvc.exe 60 PID 2736 wrote to memory of 2792 2736 DllCommonsvc.exe 60 PID 2736 wrote to memory of 2792 2736 DllCommonsvc.exe 60 PID 2736 wrote to memory of 2704 2736 DllCommonsvc.exe 61 PID 2736 wrote to memory of 2704 2736 DllCommonsvc.exe 61 PID 2736 wrote to memory of 2704 2736 DllCommonsvc.exe 61 PID 2736 wrote to memory of 2588 2736 DllCommonsvc.exe 68 PID 2736 wrote to memory of 2588 2736 DllCommonsvc.exe 68 PID 2736 wrote to memory of 2588 2736 DllCommonsvc.exe 68 PID 2588 wrote to memory of 524 2588 lsm.exe 69 PID 2588 wrote to memory of 524 2588 lsm.exe 69 PID 2588 wrote to memory of 524 2588 lsm.exe 69 PID 524 wrote to memory of 1728 524 cmd.exe 71 PID 524 wrote to memory of 1728 524 cmd.exe 71 PID 524 wrote to memory of 1728 524 cmd.exe 71 PID 524 wrote to memory of 2128 524 cmd.exe 72 PID 524 wrote to memory of 2128 524 cmd.exe 72 PID 524 wrote to memory of 2128 524 cmd.exe 72 PID 2128 wrote to memory of 2752 2128 lsm.exe 73 PID 2128 wrote to memory of 2752 2128 lsm.exe 73 PID 2128 wrote to memory of 2752 2128 lsm.exe 73 PID 2752 wrote to memory of 940 2752 cmd.exe 75 PID 2752 wrote to memory of 940 2752 cmd.exe 75 PID 2752 wrote to memory of 940 2752 cmd.exe 75 PID 2752 wrote to memory of 2948 2752 cmd.exe 76 PID 2752 wrote to memory of 2948 2752 cmd.exe 76 PID 2752 wrote to memory of 2948 2752 cmd.exe 76 PID 2948 wrote to memory of 1940 2948 lsm.exe 77 PID 2948 wrote to memory of 1940 2948 lsm.exe 77 PID 2948 wrote to memory of 1940 2948 lsm.exe 77 PID 1940 wrote to memory of 756 1940 cmd.exe 79 PID 1940 wrote to memory of 756 1940 cmd.exe 79 PID 1940 wrote to memory of 756 1940 cmd.exe 79 PID 1940 wrote to memory of 1404 1940 cmd.exe 80 PID 1940 wrote to memory of 1404 1940 cmd.exe 80 PID 1940 wrote to memory of 1404 1940 cmd.exe 80 PID 1404 wrote to memory of 2600 1404 lsm.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b98d6de07f0c759d4e4607ee4151628af9f04f25e84d1ee5c7ca8db81dd15a5f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b98d6de07f0c759d4e4607ee4151628af9f04f25e84d1ee5c7ca8db81dd15a5f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DISM\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1728
-
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:940
-
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:756
-
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"12⤵PID:2600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2292
-
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"14⤵PID:380
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2492
-
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"16⤵PID:2592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:532
-
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"18⤵PID:2204
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1904
-
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"20⤵PID:864
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2584
-
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"22⤵PID:3052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1276
-
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\DISM\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\DISM\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55c8ead951e391e5f27b175626b6ac95a
SHA1738e446bf3e48181ca21c2720bb904e77f8a7fa3
SHA256aa41c72a000c04da29e65bab2da435e72987ba21a7e159d44a52030f3e789981
SHA512ad19f5b28f71be980a32a70a226a6315538dbfc518dd92f57442e8590b18f80f28f858a17c80424ed0f0a747b02318b8299c39cbdb2dcf746b11c019e660e7d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56debd82e9d9f04d3d77a559a5211d28b
SHA1631e800ea651559e498ddfc7048e373357d51826
SHA256ea355995cfb7b9d813bf018cddb9698e83d14b1abb5d08c8852b5190d67b871d
SHA512f4f69fa4fdb28ad941229e3028ce94131c362d9f2c03dc96b1c971de700a9b8f6bca738e6fc7e0fcafef369f80ce313552ff4a09c4f2a60aa263b48b0f90e737
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD533a8481fdb66b828f1cdb72f88afb493
SHA1988ced45669e5b0bdbb3abf5333a8d0fc4672699
SHA256ecbf92c4d75353cf5307a2dc54132732052f076b52675076898da087ee0bdb56
SHA512a78c61e04933b905182d683bb7304933a6974e5d26e5c902a138dfea8bad87b22af02cfd007b666b30c062a2ae76403591ae4e6070fb1cc49473218e855da728
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b91a3efcd10cea7d4cb597ba84999121
SHA18c5582c1a8686f5b7b7a1fa8494163bd391a33cd
SHA256c1dc1bed1d19cc15607616844e235048216e30cd16fe70680832aea78ba0674e
SHA5124aaa4c82b8970fc6aef658b7d02f7490d5d527a0db0479f27ea5457c24a539234b9c0dcaf70cd8b9af9bb26afe2e5d42c3faa27218b51e8a85bb0283adbd5ff5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50695ebf799570de23a2dc1d695565eff
SHA1e961207e61f1a041699dce6c55bb5a6f49b748ff
SHA2567ce5448f0c09572021b75ecfd8207f7b2197a6425dac0c711f24af2edef63d01
SHA512904b783078c086874ed3dd14e4825a56b7f82f35e0519ec6dd05554ddb47efa9ac0d48d141a42bff997d5a1b09dfadc79988b562b2920038b5eab6f4ab4bedd8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56f39df81af68902b16d42140f6e46e15
SHA194ebe8723fa14d8a0a371571f489196a7ec9eb17
SHA2568dbeff7b60a507d37a3019fb4f1dc35a75643ad6b12f2c77b7c5be19266ec30a
SHA51248d743594a15c75fddca19c75fd85e307ba4303e4f1657e169afb02895ce90fefba03846ae7eeab769f9d4438a3a9dded9d20c40bce424160f245e9e8f4aff91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD513b9be01a89157c67503fcd20b0cec3b
SHA16b1f74386cc52bf2b07da47dfdd0aeef07210bfb
SHA2562bb8fa06c7a422a1a140787c73926e5057ba7b9320e01afb3929e521f4dc2131
SHA5121197192a53259776a1b2546861e14e71af4b430745b54efa9b208be8261601d484cd602fbe387381f7a006e7536f516f4eb70c309326823c526dce0963c6a2bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5077cc454eb4f61561a746b6d53f48312
SHA196da1fbab77e7a107dacfeca04a91e5b952d062b
SHA256cbecdfd73336dfc4b8330cec7decbb12ebacd0f987185454f96b0a3b0acaf9f5
SHA51282378978129844f5c2922732223ca54ab61a067c2d79452fee03be7aa2f4fddf6d8ee4eb02b37a17ef66d8a5718f7f479519f1ffd693cfe3802a58000e34e9f4
-
Filesize
232B
MD5f73996b17f92834506b7ba3eb5f1cb5e
SHA1f0fd0fd3d0b67cc85bdbf0149ad247630d17472c
SHA25679010edd003aacc4ef46e9df40900fb116d0e75356346a0ed3e616129e9947f5
SHA5126144364ebcc6d97d89356d7699c368bb16a3d1e5daa2f3ed98c44d0c625bc5eee213edd1b10f999f0fd9e74469266bec3014277b1b128f2ce80a629ba7ba4e93
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
232B
MD55f100dc736da8b0c032a350c7e98e98f
SHA1911c23cd1cf48d271932b5128b731749d04e94d6
SHA2569ed5cfc1fedf8931634da6ab4ead2afc2c3ef544f56e41ce6be5220fe3ce9f41
SHA51296a65834ad4a10dfdbc7f882319d0fa67c260629295982799436a524e55187f870f533aeb4b7ba8700727d3beff0e65890fecb831ee282940c9edf483d37f154
-
Filesize
232B
MD5ff31731de8837b929c505e4e3dcc74db
SHA12b86d51088f05c4a9e08dae1cc49b153c22faae9
SHA256d589f2712ce2f5db7c54116829531fc3ba7a736e2972027ff386c2e33eaac06d
SHA5120731708c15016e1058bff47db52249665a4e1570466d07eed1c82b3a9f7ae67aa1e507f41624b78ef09113f5088d0513b9502fa1be638817a5118a2a990444c5
-
Filesize
232B
MD5e8bae32ffdb7e7b8dfcd5383c361bced
SHA1a82ba686606b22106f82866d2e6d1b6210d38ce7
SHA2563f715c153f9e0371f5b3fc615f56607ed3698d5f02981282f21205659f283e5d
SHA5125e9368a02d5fab307203c860640e6da0ac18fdbf7f65c61393a4e3969d018a8249483afc3a9b1009bc4a306fa4ec06069303d306a147b285785ea091f43b5453
-
Filesize
232B
MD5cc49de2b35a702fd63d04ce553e2a1f0
SHA159eed55a6bbdea574bd46a07dcddeeee91d3edf4
SHA25692e59bab6c8974e511e3f56c597e5ee49e9d0f5c5e5a714435e6c5b2227f2ca3
SHA512c4fa7b3ca478082aa1edbb1756ab25adcba9cdfad69437597c08e1507fb5c4a27ff4498be3ecc2169a73d1bb130835b73f543f575c1d10cd523e211d5c95ad60
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
232B
MD5f6699c039facf8c7e0b4a5cd27264329
SHA184ae6a1b1e38a0e5a8ec0b0f4b6161b2311beba5
SHA256fd970d4ef986d2d8fbed4ae644d0eecc3ea77868924ee624eef87855e5a7ba82
SHA512e0ad7299db9c2aaba32f69c3ffe7ba7fdd74a973064cbdf67b9ed0e528f8197c7033172d12916860565d0e5867b049e55d09b2809dea0c6d14e45a1406495c79
-
Filesize
232B
MD563d911a496575c7e2c816c987f770ec4
SHA14b50abb018e4c8c253425c33049bd73aa4a4ca39
SHA256bd1b7f768dec1f1115e4144f80aeafd3d64c33aa18c8b5c90aa57afd06b0d3f8
SHA512c71403645489c6d8e69c1e21e9d6794a963d37d6fa2b6d9f9d4025d795dd3f4d1624973e7a65b3cff42bcb8fb9edb042703e6d58f6665215e9514aaac7c5b992
-
Filesize
232B
MD50e4c3a16f8434593ee8f07d9e899b7d4
SHA1834d0b539fabb9a73b642a1d16b565aa08ff44f4
SHA256e8cf5cefa14c39205a7357720aab7c18997bbac22bc84e35abbef2f62bc59bc4
SHA5122a9925eb1d36eed65dbe01c946ac18dc833ce5a95946d72e38e853dece44a28e509f0dc405ddbd4e5d7aa0fd4761b40bf4fd47a79ba6e65343dd4a458cebcbda
-
Filesize
232B
MD5170dac7276d67d918ee5eb58c5f5ec37
SHA19f7eef19ea7fff5fbc494b46dd60a8f0c43b0d14
SHA256f2e09388eb3abe8b5e04f6aa4c392b912c26a29462eb71aab68b87c00ac2a830
SHA5120cb7dd382ab31f14fb6c4fd1444121bcea6661776073558fd6deb8cb9811fc044d31d8c7323e8d42ecb6aa32054fff8611640c2498f1a2a25676644921c6c903
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59abbb510608ac109304e943a7df2e957
SHA146cd8e6e6c921d097ad797e1797e35c12c8af03e
SHA2568acc32d7bd78b2033a6ae937a644fb65d14eb74ab3c481622f27cc24e230a2fe
SHA512aca1b3cb3408cdde33e593df9d9a260804a4de0414cfa49ee38cd5205b5b2becab8add1f35e80c0211030d6078fae4f4d9a2f72bb2d7b69df217d929e7a7e517
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394