Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:44
Behavioral task
behavioral1
Sample
JaffaCakes118_41908e56c965ac7e326e1a38db49a1e9bcd48ae03d7a19a373d47fd88a83c55e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_41908e56c965ac7e326e1a38db49a1e9bcd48ae03d7a19a373d47fd88a83c55e.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_41908e56c965ac7e326e1a38db49a1e9bcd48ae03d7a19a373d47fd88a83c55e.exe
-
Size
1.3MB
-
MD5
ae71ed436ff140b39b41007ef47fdd42
-
SHA1
9a5dbcc95a31a31fae95e6a92588982fcf3eb90f
-
SHA256
41908e56c965ac7e326e1a38db49a1e9bcd48ae03d7a19a373d47fd88a83c55e
-
SHA512
6d52cfeab0cf2aa9530ed41096be3c301e624b2ce1e5f6c4dbaa09a97186e9516c41f811871153e0fcc57fae7a5c2671030c12bb3ead7d2eac4d5c58b64ac4b9
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2616 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2616 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016edc-11.dat dcrat behavioral1/memory/2904-13-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat behavioral1/memory/2944-73-0x0000000001340000-0x0000000001450000-memory.dmp dcrat behavioral1/memory/3020-546-0x0000000000230000-0x0000000000340000-memory.dmp dcrat behavioral1/memory/912-606-0x0000000000370000-0x0000000000480000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1756 powershell.exe 2792 powershell.exe 1248 powershell.exe 2488 powershell.exe 2072 powershell.exe 2124 powershell.exe 2420 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2904 DllCommonsvc.exe 2944 conhost.exe 1284 conhost.exe 1272 conhost.exe 2460 conhost.exe 1504 conhost.exe 2060 conhost.exe 2792 conhost.exe 2904 conhost.exe 3020 conhost.exe 912 conhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2684 cmd.exe 2684 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 15 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 32 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ebf1f9fa8afd6d DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ja-JP\24dbde2999530e DllCommonsvc.exe File created C:\Windows\ja-JP\WmiPrvSE.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_41908e56c965ac7e326e1a38db49a1e9bcd48ae03d7a19a373d47fd88a83c55e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2988 schtasks.exe 1964 schtasks.exe 2076 schtasks.exe 1852 schtasks.exe 2592 schtasks.exe 2844 schtasks.exe 572 schtasks.exe 1644 schtasks.exe 1972 schtasks.exe 2888 schtasks.exe 568 schtasks.exe 776 schtasks.exe 2876 schtasks.exe 664 schtasks.exe 1736 schtasks.exe 1996 schtasks.exe 3020 schtasks.exe 2536 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2904 DllCommonsvc.exe 2904 DllCommonsvc.exe 2904 DllCommonsvc.exe 2072 powershell.exe 1756 powershell.exe 2488 powershell.exe 2420 powershell.exe 2124 powershell.exe 2792 powershell.exe 1248 powershell.exe 2944 conhost.exe 1284 conhost.exe 1272 conhost.exe 2460 conhost.exe 1504 conhost.exe 2060 conhost.exe 2792 conhost.exe 2904 conhost.exe 3020 conhost.exe 912 conhost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2904 DllCommonsvc.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 1248 powershell.exe Token: SeDebugPrivilege 2944 conhost.exe Token: SeDebugPrivilege 1284 conhost.exe Token: SeDebugPrivilege 1272 conhost.exe Token: SeDebugPrivilege 2460 conhost.exe Token: SeDebugPrivilege 1504 conhost.exe Token: SeDebugPrivilege 2060 conhost.exe Token: SeDebugPrivilege 2792 conhost.exe Token: SeDebugPrivilege 2904 conhost.exe Token: SeDebugPrivilege 3020 conhost.exe Token: SeDebugPrivilege 912 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2752 2996 JaffaCakes118_41908e56c965ac7e326e1a38db49a1e9bcd48ae03d7a19a373d47fd88a83c55e.exe 30 PID 2996 wrote to memory of 2752 2996 JaffaCakes118_41908e56c965ac7e326e1a38db49a1e9bcd48ae03d7a19a373d47fd88a83c55e.exe 30 PID 2996 wrote to memory of 2752 2996 JaffaCakes118_41908e56c965ac7e326e1a38db49a1e9bcd48ae03d7a19a373d47fd88a83c55e.exe 30 PID 2996 wrote to memory of 2752 2996 JaffaCakes118_41908e56c965ac7e326e1a38db49a1e9bcd48ae03d7a19a373d47fd88a83c55e.exe 30 PID 2752 wrote to memory of 2684 2752 WScript.exe 31 PID 2752 wrote to memory of 2684 2752 WScript.exe 31 PID 2752 wrote to memory of 2684 2752 WScript.exe 31 PID 2752 wrote to memory of 2684 2752 WScript.exe 31 PID 2684 wrote to memory of 2904 2684 cmd.exe 33 PID 2684 wrote to memory of 2904 2684 cmd.exe 33 PID 2684 wrote to memory of 2904 2684 cmd.exe 33 PID 2684 wrote to memory of 2904 2684 cmd.exe 33 PID 2904 wrote to memory of 1756 2904 DllCommonsvc.exe 53 PID 2904 wrote to memory of 1756 2904 DllCommonsvc.exe 53 PID 2904 wrote to memory of 1756 2904 DllCommonsvc.exe 53 PID 2904 wrote to memory of 1248 2904 DllCommonsvc.exe 54 PID 2904 wrote to memory of 1248 2904 DllCommonsvc.exe 54 PID 2904 wrote to memory of 1248 2904 DllCommonsvc.exe 54 PID 2904 wrote to memory of 2792 2904 DllCommonsvc.exe 55 PID 2904 wrote to memory of 2792 2904 DllCommonsvc.exe 55 PID 2904 wrote to memory of 2792 2904 DllCommonsvc.exe 55 PID 2904 wrote to memory of 2488 2904 DllCommonsvc.exe 56 PID 2904 wrote to memory of 2488 2904 DllCommonsvc.exe 56 PID 2904 wrote to memory of 2488 2904 DllCommonsvc.exe 56 PID 2904 wrote to memory of 2072 2904 DllCommonsvc.exe 57 PID 2904 wrote to memory of 2072 2904 DllCommonsvc.exe 57 PID 2904 wrote to memory of 2072 2904 DllCommonsvc.exe 57 PID 2904 wrote to memory of 2124 2904 DllCommonsvc.exe 58 PID 2904 wrote to memory of 2124 2904 DllCommonsvc.exe 58 PID 2904 wrote to memory of 2124 2904 DllCommonsvc.exe 58 PID 2904 wrote to memory of 2420 2904 DllCommonsvc.exe 59 PID 2904 wrote to memory of 2420 2904 DllCommonsvc.exe 59 PID 2904 wrote to memory of 2420 2904 DllCommonsvc.exe 59 PID 2904 wrote to memory of 2924 2904 DllCommonsvc.exe 67 PID 2904 wrote to memory of 2924 2904 DllCommonsvc.exe 67 PID 2904 wrote to memory of 2924 2904 DllCommonsvc.exe 67 PID 2924 wrote to memory of 1672 2924 cmd.exe 69 PID 2924 wrote to memory of 1672 2924 cmd.exe 69 PID 2924 wrote to memory of 1672 2924 cmd.exe 69 PID 2924 wrote to memory of 2944 2924 cmd.exe 70 PID 2924 wrote to memory of 2944 2924 cmd.exe 70 PID 2924 wrote to memory of 2944 2924 cmd.exe 70 PID 2944 wrote to memory of 2444 2944 conhost.exe 71 PID 2944 wrote to memory of 2444 2944 conhost.exe 71 PID 2944 wrote to memory of 2444 2944 conhost.exe 71 PID 2444 wrote to memory of 1504 2444 cmd.exe 73 PID 2444 wrote to memory of 1504 2444 cmd.exe 73 PID 2444 wrote to memory of 1504 2444 cmd.exe 73 PID 2444 wrote to memory of 1284 2444 cmd.exe 74 PID 2444 wrote to memory of 1284 2444 cmd.exe 74 PID 2444 wrote to memory of 1284 2444 cmd.exe 74 PID 1284 wrote to memory of 2060 1284 conhost.exe 75 PID 1284 wrote to memory of 2060 1284 conhost.exe 75 PID 1284 wrote to memory of 2060 1284 conhost.exe 75 PID 2060 wrote to memory of 1904 2060 cmd.exe 77 PID 2060 wrote to memory of 1904 2060 cmd.exe 77 PID 2060 wrote to memory of 1904 2060 cmd.exe 77 PID 2060 wrote to memory of 1272 2060 cmd.exe 78 PID 2060 wrote to memory of 1272 2060 cmd.exe 78 PID 2060 wrote to memory of 1272 2060 cmd.exe 78 PID 1272 wrote to memory of 2792 1272 conhost.exe 79 PID 1272 wrote to memory of 2792 1272 conhost.exe 79 PID 1272 wrote to memory of 2792 1272 conhost.exe 79 PID 2792 wrote to memory of 1728 2792 cmd.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41908e56c965ac7e326e1a38db49a1e9bcd48ae03d7a19a373d47fd88a83c55e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41908e56c965ac7e326e1a38db49a1e9bcd48ae03d7a19a373d47fd88a83c55e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\Stationery\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NUopwCXjzr.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1672
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1504
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1904
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1728
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"13⤵PID:2664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1508
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"15⤵PID:1696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1616
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"17⤵PID:1740
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2092
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"19⤵PID:1744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1260
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"21⤵PID:2588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2572
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"23⤵PID:800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:688
-
-
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"25⤵PID:1596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\Stationery\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\Stationery\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\Stationery\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD529f763709a8da4b8f4fad4a6ba31fe10
SHA16570aa4c4e4f0a1d343268f06dbe3f2d985b07bb
SHA2560fc717c38aa1360ea0d1d645ac8d7f937cab4b48f54a9b76e32ff8fbc91bfd81
SHA51227f3deb57558f720782819fd89778bbf2da241ba831600452d719c0085bf809404e2e73493907736d2751a242bc9ac342bbd0578a4d8bdc0130775c754cb338e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58fc67993fbb2f56056b0341b47711779
SHA1dc7836e34e798a40fa2d2d6d7998395d9136b116
SHA25658f3f7765e24ed124e55174c405109f70044f2185c5128b9a41845e4d42c7a31
SHA512b260beddfd12a21cfd03e4d202f00522c5323c7f854be9423287a679e193efcc84f9824c8b76b3b18151bd60e1ade1fe583a6f0ff313f53952216db84b06e13b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a0f7e4a9f86fc4b421f89810c1eeafbb
SHA1515c499f8d0e53bd4bfc5e15f599c484d94f607e
SHA256e3b9dbe85d0295aee46f91d9c57886908abc4bba67ab91b0ffc22e786a9badd7
SHA5129c8d1b32d12c77da10925165cd70324863bfb012a7bb5ffff15170f9b11c5d49f6d07be281034fd2da4732496750b665937d4f4a0f0cb0b18a5019f5cd3ff729
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b517f8dfe2ad69cdb24e21f26981cc73
SHA19fa799a6fadd6f4a120921a5350d1cf1c327cde7
SHA25629ad7f6cf862536f91f72a68619a746461dbeab1a74490112d4d0b5f99cdfa9f
SHA512990468bf847278ccd1732a3e1ec06f18c14d5058225c5fa114300608729941a6cc98a284269d4b7299935f8803ab4b4ac86ba5b23ded75292f4a9bc49db5440b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD554dc143549de1e9fa7e1888543d5ca8a
SHA15b4a52474b195b61236de4ffa945401b3f43734a
SHA256e8645a58e51e7c57468db5a5f217d81d65e16d7f3bf934141fcc362382648d8f
SHA51296d2fc69f6979b021e9f11d25d9d9baf4deb513960da36bc01553d3a0d0edc7cfa02206812a6a8bfcc07226b44c9f59a4097a5fd963ebd8482539be5e19a22c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a40728521d783279d0bcb5119459581
SHA11e5d2088c5983930521bcf8c6786bb07dbe29aa1
SHA2560077fd11d1ba41782800db687cdeec965554bb7422993b100f42fd67cd65ecf3
SHA5123b546623fba10c441a9d4a807aa9fb8d48ce812bab4e933f41a43e16d46128979258f686c63e247a89d1fd0fa4de5b453378e3554c113bde1386cd1812c8958d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a6919f139313522526295ba354f299b9
SHA138411c0f3e577f87bb1f123e1382641dc56ef69a
SHA2562ac952cd82db3e0b0d95da025376cc5b1bd188260a55e46d1ee1da70700bf776
SHA512c6417c4cbfa367bf7439dc6df35ef5e9e2e7cd65b8e9822af3ad42be2a3f4c1bdea253f5ceca534ad1e00847a940b6df027e5358b40a70480b0f276f48461a1f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e9447587d26257a3f10062f6381da47d
SHA13a183628ce2805929bb4cc0d218bd9497598574d
SHA2561a709be03a5eaf7ee1a3d844975da7dbf229ac0259eda4a3cb25766c25d0d70e
SHA512aa162d6e5e4dd3f130f6240456207aad3194cd5214c175db6dce67a0be71ac539f8d3d2c8366e82c9b72726863fc6b5fb62a90f9ff8dd3093321fb77426510ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD560f4d429923579fd95c223c958bc50ce
SHA16e7eac82d5f0cfb8c1092e98cfed48491caf38ca
SHA2563948164ce204faa733d9380dd1b3d38f711e72a15363dda01355fbde61adfc73
SHA512576e5cda953ebd4ee855a543ecd3d80a0f54c40f7006e6f632c5a56b9bba01edd4b8c5db01d4a3d8b8a97388ab176e3e046fd98bb24433187e305f6bfb403b91
-
Filesize
225B
MD5ea912c1b2b3463ea65b87b1dcd248712
SHA1438b2341fa59fbabb327a8fbf8fd6045f3245848
SHA2566c423429e2985758e5f53dd961906ffe6ce13cfd7483e08588627cff1e408d1e
SHA512378173404a3d88bddfd004ff98ca56b6db304506b48787bbddf4d9d8a165fd5882494065854455421f5b1229dd557abb3eae7567b8ce7ba216925654cdd88dfe
-
Filesize
225B
MD547a4e7e4a6a48b62c5f7df4334e8a276
SHA103dc6051d1e91ce0d03947b9f91c89c25c1c58d3
SHA25617f7f4a76dcfe0218a65c260112117a314167ba41c9ba2135ba47c2272d9ad55
SHA51225c41214b17688f01b4b1541568d792123d035a29a3f964345745c30bba7a77edb5ce7f27ffd488d60c5f41995cd5bebd1a8bd13d6deba0b9f82c272deaa1493
-
Filesize
225B
MD570b0da433338fea00b0e06a28f666e7c
SHA16227214ba528c18710548c8b8d7ae66dad2f8642
SHA25663355d282edefa6dce621f7516b0350c0617b0bfd060afde10d6d88566528867
SHA5127486bc42cb1aba6155ff9eb9dec64c20bd3d72b36f3df0e074bd42a26bd2c0f430592af3ef31847d5eb5d26db7a657c1bec202d161c3da1918af183160fb3f50
-
Filesize
225B
MD56c3623e92f576d31e152b342b622a23c
SHA12f99a5a8ce4747b8aeea031cd014ba487ea53382
SHA256bbc5acff9867b1d7d6f32335e2694fe7e7efa017de7104e5ce70ca62ef016f01
SHA512e2261a5c93563562a572f25da7dde594d8c6c04ced7fb799a36117c9dd10cdd10cb3662b20591c1596c42eb8c63c4243da7af002e516cb7351a105db18f79b47
-
Filesize
225B
MD5bdca1f93e61318a070708b46971a62b7
SHA1076c7b2946748944cec7fce4f2ee7320cffdd17a
SHA2568e9e9f682c850cbe1bab5b0ac01598cf5653756d8ff8db16e23e64882652c947
SHA5125fec7fe1a17cb2c7c271899d8a85d6120fb671d21bae7e4fd5842b93c1254e94808824cd45031f10a2f1f2e7cd9c3d1c4ecf3dbc280f9b69f1c27301e4779c4a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD5f4b109c57fd68695e889a885943ea113
SHA18dae4f0c6b6938b46f8e8ff32bf0f9f6c44fe899
SHA2563603d9941a53fdf27c373d006a515ed44efa0979a26558fb39f938bd3bc5bc45
SHA5121d55717f8688ed08d67887d88edeecc49ec606f0a54c1247e04d7e7531d6e3184a675015aa707533b6ef370e57fe7a0ed5203febff3278cfa6b49d2ac24426a6
-
Filesize
225B
MD5073fc704e9f1d8b4f8c68250f4848ba7
SHA1884c0ccd604783d947716839aa6e760622b94452
SHA256829105a4d39e6cd1eb73c85075fe3201c257944f7f2ab192a0fa12e3994bd16c
SHA5122530837b308bebf11d01cde94348022c9cc8569c5983eaad91a256b6008b0b4d0cb82c50dab2d5c8be4107e39739289447caddf43c1ef90936e4314248e4b273
-
Filesize
225B
MD5f9e37f2b3fe629608cc454ea6f1d3c13
SHA1680b19ffea5ff3eb294e350c775c6f231599b163
SHA2567b80f4d9c668a233abbe99e9b7994cbfa157ae3756b9a68ddbb8bccbf4079025
SHA5120c5a197cf890333baa8253dd71f15ce676d0bd8ee74115d9a8b16aad0bb522310845a11528e74bcd5537bfbd7abc4f6c8872ce9a12df425d1dafbdd33a680a89
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD5cb4d9cbf847596250695cba1a4b45d48
SHA101fd6343f309a974924e8f80ec6ce53ca3ea885c
SHA256604531b36a85445f4052c86dbb05e25cee3f498256f5c65b40201bad297949e0
SHA51256b8eeeab0add49a9b41e039b1d815158d5a7c37ecf8d918fc501577f72065717a8f522d818aa7e36d8817b054cb86cdfa1c33ad9b04f7533b9ed8a78103ef86
-
Filesize
225B
MD58f4cf53cba503575b666a9a3965a283f
SHA1b3396deba4831697d1e679f26c946a1f4315139c
SHA256828ed82ffb97bf3d3d905a5fac2ad9851a1b1461715b34cb42f1b0bf8e1e9178
SHA51290867eedfd786596e883b7c93722928ca645d645f66e885161e8d25aca2d4594c92b23c8dbc3d83f6a3b70a1c35334670ae94ff9e4f5116058f6069b85450bad
-
Filesize
225B
MD55b1bcc7fccd59a97611da4355c1e83cc
SHA1c313c80be7106f8fbe940f20b40b2c236f92b838
SHA2569a63507a7e6662ddb606d4c7e731a293ae00341eff23686260a0b36319473fd9
SHA5129762707308f854393d70c9059634df34846951d3b954c952a6e38a045ba9f0e37fd049436a725f3b731b7cdfc5288f405c23424b2b4fe63fe1d46cf4e5c1a70b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56e3932fe7e7051e7d8f26c15b4b192a9
SHA1c3a1a5ccb13239bd713421df9a8e4cb0b89e4a29
SHA2566d685131011ba4c57ef01789c2771e6e2047f6f0b852c2ae6fffd40ccf0787bf
SHA51217b819f7cf352c4a45d98e3090dc5f63cdf0938e105fa7cc1c230c4af127d6918188a0b63cb6b635e2f3a48a5b620bfef0bf50de42dc7a7c5d474f661c687dba
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394