Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:34
Behavioral task
behavioral1
Sample
JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe
-
Size
1.3MB
-
MD5
261c3f1e4b8be79a0fff991a0f1e90bf
-
SHA1
80c3f2f9cd8ed8622239ea802bb322c46530549e
-
SHA256
cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d
-
SHA512
3287f2186ef49c89b015395dcc5f7e32058099aeb1cc09f054412dd46b29f5d9186acda2d94eadfbb16854f685b5d0870e6dcd5f28451a8f0e58e501cd4ea0f8
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 2628 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000017472-10.dat dcrat behavioral1/memory/2800-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp dcrat behavioral1/memory/1636-73-0x0000000001240000-0x0000000001350000-memory.dmp dcrat behavioral1/memory/2644-132-0x00000000002E0000-0x00000000003F0000-memory.dmp dcrat behavioral1/memory/840-193-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat behavioral1/memory/2504-254-0x0000000000B70000-0x0000000000C80000-memory.dmp dcrat behavioral1/memory/1820-314-0x00000000003B0000-0x00000000004C0000-memory.dmp dcrat behavioral1/memory/2084-434-0x0000000000830000-0x0000000000940000-memory.dmp dcrat behavioral1/memory/1972-494-0x0000000000F00000-0x0000000001010000-memory.dmp dcrat behavioral1/memory/2156-615-0x00000000001D0000-0x00000000002E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2152 powershell.exe 2320 powershell.exe 444 powershell.exe 2964 powershell.exe 2124 powershell.exe 1748 powershell.exe 1904 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2800 DllCommonsvc.exe 1636 WmiPrvSE.exe 2644 WmiPrvSE.exe 840 WmiPrvSE.exe 2504 WmiPrvSE.exe 1820 WmiPrvSE.exe 1480 WmiPrvSE.exe 2084 WmiPrvSE.exe 1972 WmiPrvSE.exe 2844 WmiPrvSE.exe 2156 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2820 cmd.exe 2820 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 12 raw.githubusercontent.com 16 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\bin\dtplugin\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2324 schtasks.exe 2860 schtasks.exe 332 schtasks.exe 1316 schtasks.exe 292 schtasks.exe 1260 schtasks.exe 1460 schtasks.exe 2784 schtasks.exe 2132 schtasks.exe 2188 schtasks.exe 2612 schtasks.exe 2316 schtasks.exe 2280 schtasks.exe 1796 schtasks.exe 1272 schtasks.exe 1484 schtasks.exe 2392 schtasks.exe 2260 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2800 DllCommonsvc.exe 2124 powershell.exe 444 powershell.exe 2964 powershell.exe 2320 powershell.exe 1904 powershell.exe 1748 powershell.exe 2152 powershell.exe 1636 WmiPrvSE.exe 2644 WmiPrvSE.exe 840 WmiPrvSE.exe 2504 WmiPrvSE.exe 1820 WmiPrvSE.exe 1480 WmiPrvSE.exe 2084 WmiPrvSE.exe 1972 WmiPrvSE.exe 2844 WmiPrvSE.exe 2156 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2800 DllCommonsvc.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 444 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 1636 WmiPrvSE.exe Token: SeDebugPrivilege 2644 WmiPrvSE.exe Token: SeDebugPrivilege 840 WmiPrvSE.exe Token: SeDebugPrivilege 2504 WmiPrvSE.exe Token: SeDebugPrivilege 1820 WmiPrvSE.exe Token: SeDebugPrivilege 1480 WmiPrvSE.exe Token: SeDebugPrivilege 2084 WmiPrvSE.exe Token: SeDebugPrivilege 1972 WmiPrvSE.exe Token: SeDebugPrivilege 2844 WmiPrvSE.exe Token: SeDebugPrivilege 2156 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2760 2364 JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe 30 PID 2364 wrote to memory of 2760 2364 JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe 30 PID 2364 wrote to memory of 2760 2364 JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe 30 PID 2364 wrote to memory of 2760 2364 JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe 30 PID 2760 wrote to memory of 2820 2760 WScript.exe 31 PID 2760 wrote to memory of 2820 2760 WScript.exe 31 PID 2760 wrote to memory of 2820 2760 WScript.exe 31 PID 2760 wrote to memory of 2820 2760 WScript.exe 31 PID 2820 wrote to memory of 2800 2820 cmd.exe 33 PID 2820 wrote to memory of 2800 2820 cmd.exe 33 PID 2820 wrote to memory of 2800 2820 cmd.exe 33 PID 2820 wrote to memory of 2800 2820 cmd.exe 33 PID 2800 wrote to memory of 1748 2800 DllCommonsvc.exe 53 PID 2800 wrote to memory of 1748 2800 DllCommonsvc.exe 53 PID 2800 wrote to memory of 1748 2800 DllCommonsvc.exe 53 PID 2800 wrote to memory of 1904 2800 DllCommonsvc.exe 54 PID 2800 wrote to memory of 1904 2800 DllCommonsvc.exe 54 PID 2800 wrote to memory of 1904 2800 DllCommonsvc.exe 54 PID 2800 wrote to memory of 2124 2800 DllCommonsvc.exe 56 PID 2800 wrote to memory of 2124 2800 DllCommonsvc.exe 56 PID 2800 wrote to memory of 2124 2800 DllCommonsvc.exe 56 PID 2800 wrote to memory of 2320 2800 DllCommonsvc.exe 57 PID 2800 wrote to memory of 2320 2800 DllCommonsvc.exe 57 PID 2800 wrote to memory of 2320 2800 DllCommonsvc.exe 57 PID 2800 wrote to memory of 2152 2800 DllCommonsvc.exe 60 PID 2800 wrote to memory of 2152 2800 DllCommonsvc.exe 60 PID 2800 wrote to memory of 2152 2800 DllCommonsvc.exe 60 PID 2800 wrote to memory of 444 2800 DllCommonsvc.exe 63 PID 2800 wrote to memory of 444 2800 DllCommonsvc.exe 63 PID 2800 wrote to memory of 444 2800 DllCommonsvc.exe 63 PID 2800 wrote to memory of 2964 2800 DllCommonsvc.exe 64 PID 2800 wrote to memory of 2964 2800 DllCommonsvc.exe 64 PID 2800 wrote to memory of 2964 2800 DllCommonsvc.exe 64 PID 2800 wrote to memory of 1076 2800 DllCommonsvc.exe 67 PID 2800 wrote to memory of 1076 2800 DllCommonsvc.exe 67 PID 2800 wrote to memory of 1076 2800 DllCommonsvc.exe 67 PID 1076 wrote to memory of 1496 1076 cmd.exe 69 PID 1076 wrote to memory of 1496 1076 cmd.exe 69 PID 1076 wrote to memory of 1496 1076 cmd.exe 69 PID 1076 wrote to memory of 1636 1076 cmd.exe 70 PID 1076 wrote to memory of 1636 1076 cmd.exe 70 PID 1076 wrote to memory of 1636 1076 cmd.exe 70 PID 1636 wrote to memory of 2924 1636 WmiPrvSE.exe 71 PID 1636 wrote to memory of 2924 1636 WmiPrvSE.exe 71 PID 1636 wrote to memory of 2924 1636 WmiPrvSE.exe 71 PID 2924 wrote to memory of 1276 2924 cmd.exe 73 PID 2924 wrote to memory of 1276 2924 cmd.exe 73 PID 2924 wrote to memory of 1276 2924 cmd.exe 73 PID 2924 wrote to memory of 2644 2924 cmd.exe 74 PID 2924 wrote to memory of 2644 2924 cmd.exe 74 PID 2924 wrote to memory of 2644 2924 cmd.exe 74 PID 2644 wrote to memory of 1960 2644 WmiPrvSE.exe 75 PID 2644 wrote to memory of 1960 2644 WmiPrvSE.exe 75 PID 2644 wrote to memory of 1960 2644 WmiPrvSE.exe 75 PID 1960 wrote to memory of 2016 1960 cmd.exe 77 PID 1960 wrote to memory of 2016 1960 cmd.exe 77 PID 1960 wrote to memory of 2016 1960 cmd.exe 77 PID 1960 wrote to memory of 840 1960 cmd.exe 78 PID 1960 wrote to memory of 840 1960 cmd.exe 78 PID 1960 wrote to memory of 840 1960 cmd.exe 78 PID 840 wrote to memory of 2824 840 WmiPrvSE.exe 79 PID 840 wrote to memory of 2824 840 WmiPrvSE.exe 79 PID 840 wrote to memory of 2824 840 WmiPrvSE.exe 79 PID 2824 wrote to memory of 2212 2824 cmd.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mk2kVjaeOt.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1496
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1276
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2016
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2212
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"13⤵PID:2204
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2652
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"15⤵PID:2612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:768
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"17⤵PID:2188
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:916
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"19⤵PID:876
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1944
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"21⤵PID:1640
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2352
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"23⤵PID:2100
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1524
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bed890c6c4e35a73280f33881185957b
SHA1d2f65b84b06a3bea6794dcba3437eda8577c5975
SHA256a668b2d88ba664bd3ccf999240932519e086f4af5b2794eb75b31a744d990f7f
SHA512887e7ce7c4d53da71778cfd93bb7573bf073acb7f06f95fe32c2b88d4cc90981c19898487b576a2d897fe43cefaa9fb3f3200ffdbc31e5457984d570cfc0f022
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD534df0038217bdf646deb0ce9ea453db5
SHA1bc5b104ff5d4f977216b023396a9a006e1f3bef3
SHA2563a97eca3e8c8bcb8019d88446dfb2b08db31a8e3f5981ea5fbfa558260b65c01
SHA51242e1e390346ecb0c5885ba170aa42e69475e32f5b1ca4b7aeba6d355b8df06e2db8883ef4e881abd80e75c5bc17ef33e5519ddffc5ab47b349b0d9859aa45087
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee7e5f47dccc0cf802d591875a8e3fca
SHA133db294309103ad77db1aa08660561ed0c123471
SHA25698783cd6afee9df351065eb1074ab0e812005e182e39d2226d5f8e03abb390de
SHA512e207bbc236bfe124dfce2694d4114310300140b144f3c5ad67358bbecdafffccb8c6e4f0943bf0652256759100f7ac82d56b36e88d30abf12f7133a81ff0742c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a43a3231e2ca383c3f6e93d8a3f56f29
SHA1cb570ea24bd4256f6f89280a4850ac12d56ee624
SHA25641bca044dc9ca74ed3c97f94a047db52ddc72fb7a4f4c695ca7af07c1b7efa86
SHA512456df1ed22a26edcfe8b7332d412a32a60069bf611ae03527639c2fca3f2bf5483d7fb5f62ea1160bec34bd53fc897f665d7d542923e0dfbb95033971f9672a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5871768afc96e92e8c2c275cfc061879b
SHA1a66aba164f921bd65963ce38dd7d31e7b79a59b3
SHA2566be2f1cb2e2b08bdee68679d36697dfc8479877894d3be9c3d85ecc0b5a8950f
SHA512d5574d8e48a128163ffaf8a52f0013be96ee3e366ad1a73657ff28e0f65828e716c09fcef27356bad5be31a95d983c8b02bcbbff72354afd5a02ef78e7776404
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57057eb007fe43619bf78b882d63c5e45
SHA100eafc9e0a4dc72f998efcafaf7885b2d7e2084e
SHA256d7644a9916aac172a0b3760489a47ad312ad89675757baaa719db39b7e9392d1
SHA51242438a1863bf87a68951125e30ec1522f93bf7be2298953675e2f627269c264e47e7ab6eed65cfc23caa2080c4a92845ef3096bd6c6098ab110ad62b143a7e5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5debdfa8520e68214407698539a94f8c8
SHA1790785865e2c3c85094ddb3ea0ad22d2731689af
SHA256bf2dbb7efc86a7e14287931bd62b73de2efc5ace82860395d4b39a389b706a92
SHA51251d0093aa98a088229704939349c6480d21eae9d7c94b55d978d3883c2be2a77d0e1573e353ae040a6e0b3fe250430b9e245de09c4d1d5b5c7f929105e2bc8f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50120a90097b3533a46c44c70f71245a8
SHA13c27e2a633cafffa145cd9689a9b4f6654f5c8b4
SHA256d8ec205b514ae056f30c55f8cd804e65f04cec5c7e7ca8eeefac5a04e6f89029
SHA512a365d4ffdd75ceee97752ece62ff7326b0d4f3d563d400884192b1179272bad1c07b2063731901b62e90470a7b2dbfae82bb850d5734e38c1e8b96275171ecb7
-
Filesize
240B
MD549f93416fd61db82bae95e3edd26ee29
SHA12b84214903169d6dec5ad3abcc2e1c1a2cfad9a7
SHA256e1d2d904d0a776f15c674dc74b1e75d4d2ae2568aa5327279bfa70b8508701e8
SHA512b9669efb456e68180cf0d213d250cd3a1af1b2139f1711919572a211cd56b6c6bd18b90dc8e93329d117701c6d9b9196d9062eb5f26eab07c251a72c438ff086
-
Filesize
240B
MD5fee9eb71b1adee0012c9bc8641f82f31
SHA1a59d464bd4524d1cf1f387c53eaae96a2897e62a
SHA256b05cb437521cdbdb40218d38b3b7b2eb1414716ea4159ed47ee5a5407965ff88
SHA512d28952851c8ba8d3bcd51ff49208684c6fca0c3113bbad4a13e811be04a9e572d42252d059f11648fcccf93290aea98b239877f60b3101f24928b771acd0e264
-
Filesize
240B
MD5b227278d2c784ef66812194bdae27060
SHA177626892c833d1c405383bb0c26069c94d9c2d4b
SHA2568f81e0d19bb8b56a5eba246d1b1986423b6a14de5934bad157c7e4c0e7611b69
SHA512affcdb082ade6694716452b285c9ab212908cf58856095a9e57952446e647028ee3e27c697e7c33eeedcbc218564d662aeb6053a6e9d6604cee0ee6bd7987c4c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
240B
MD527ebe7418a1335a3007562e8de867f03
SHA1db1a8efbac49d3cf414f8626633da245ba67be9f
SHA256a4baec56f417bc4392332d3324f29760d46754558a2e4216bea9abade735e0f1
SHA5122c712ff897663e4bcdf9d640455a4985369a67f5de44d3dcb74fb155b40f1a7d1e4151137cfd44d84517c9bf97111b1c7097aaeb93fc13f09b59b7eacb1141f5
-
Filesize
240B
MD593f29e51dcc7ab7bb9af81a66c1f5a24
SHA1e1fe676f2c7e90ea697afd78cb6e97cefaf67629
SHA2560eaf4f2dfa95e932cfd70f5a7b93c7f974cb1f082362f32bbef396fe9307fa8c
SHA512ce44ecd20eeee5d8543151a0b9f66160d18f34dce737077f74b5b85aca05a697aa776edec76118d640581ba63110198a5bd8289db836c8998a96b5c82c8d2602
-
Filesize
240B
MD5cab67c46558bbcce57de299cf1c7acea
SHA1d676cde87e43fa2ddc0d4c4406522088dab8ab6f
SHA2565422ce8e519978d32f84b0c3c4da4d054eeffd1abf243e26ac9bf3b51c013162
SHA51252b08d0a10d829a1383d00a5948eeac7a3213930d2b31ec2d3794deac83e726f0d563e2ac79f22bee02bb2a2b1706ff6089070811f8969b95320f10bb0d5f643
-
Filesize
240B
MD51123b8d045be2a9af5f6ddf987763122
SHA15b791add83aed70a7291d0b3485d6b0c6dff8d38
SHA256042d826b0a494c048ad188a1ab507ed3342f38322e7a1e7473239a769f5bd96b
SHA51213985c5e41160e38dfd66f1bf33a723e27018a104e913a97b8a936bf5a5e0505ab56f830ede64e06ccd697dc0eceb354eae83d594ea9a6f8599c123435e9b798
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
240B
MD50135a13ff3412f523c5f1519000724c1
SHA1d7250bad90456cfbcc621626f7f6006939dcce6e
SHA2564a1cd2e04a9d77cce275e582453a030f837429a9c6511704e5233972ce9286a0
SHA5127f36ac6c589049763aa4bfd4b35051ada7483c541d5b6cd665fe46ea89c298f7f4414ab9baf11f15f7ddfea3e1acbaabb79a661e1033f440636aed027e0de879
-
Filesize
240B
MD53fa33bbd6e34b3d88a8442e66183e69a
SHA144f8ecb9eac3bb8e3bc2606d30351b47b72c37d1
SHA256aa54ae5425a788b51022b3cb3f4cbe7ed9f5997ac6cce72f912b9eb579ab81d0
SHA5128b9b0e2cdba12c79ed2717536da108fb5610f3d8a1eb5e8b3fc9995440f42559baba9ca6fcae310e0540ac7cab3e72a12a0152aabaee3aa633215091193dd1c0
-
Filesize
240B
MD55e36bc1ed3244e2c6005d1341dc1f58e
SHA1eb4b1739b8e4b27cb32c5754043b3d0bb1fc9ea2
SHA2564adab41c7e3180cb32b4f831b80ba7f4985da4e78eb1681bd824c4fbb875c91a
SHA5120552df6d6b2a08a1fe9a4c91549b3c265aa1f9215537fd12343317456e1a6d31557555ca43e32b50c56e328323f09fd72d12c3c105f2440f257c3d0fad898208
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e132a90c7d55d5173584db463861a107
SHA11b77e6bb01de427a1ad9a22bc3713ebfb01b8411
SHA256bab55c1c6db8a17aeaa57375f6082d5920e1abd3e10c1e10f3f250f72fe39a77
SHA51263b03e085cff0430173a4016f58d0f4ece67eeb98efe47dff47ca9a25da5dcb92969ec58e766fa4ed0f7b8052e60f0e746d4ef4c257f6075ed5ec8209f11a2c4
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478