Analysis
-
max time kernel
147s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:20
Behavioral task
behavioral1
Sample
JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe
-
Size
1.3MB
-
MD5
fdb3dc5552dc4efe431cf601ef09e6c6
-
SHA1
edc4dbb399ae32ec287eaac6dece94ffcd40fd8a
-
SHA256
a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a
-
SHA512
a47efb1a93ce70468f49c5b850a29af30cb3bae7f1e646c084a18e99e1720390be759a617d01878602f170ae47c814e9facb041a3129170a969dfaeb517e264a
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 332 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 332 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00070000000186f1-11.dat dcrat behavioral1/memory/2440-13-0x0000000000CE0000-0x0000000000DF0000-memory.dmp dcrat behavioral1/memory/2172-80-0x00000000001C0000-0x00000000002D0000-memory.dmp dcrat behavioral1/memory/2384-139-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat behavioral1/memory/1648-200-0x0000000000D30000-0x0000000000E40000-memory.dmp dcrat behavioral1/memory/2356-260-0x0000000000050000-0x0000000000160000-memory.dmp dcrat behavioral1/memory/2600-320-0x0000000001050000-0x0000000001160000-memory.dmp dcrat behavioral1/memory/2264-557-0x00000000003F0000-0x0000000000500000-memory.dmp dcrat behavioral1/memory/2880-617-0x0000000000F50000-0x0000000001060000-memory.dmp dcrat behavioral1/memory/1928-677-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1244 powershell.exe 2320 powershell.exe 2272 powershell.exe 2448 powershell.exe 2072 powershell.exe 2128 powershell.exe 2484 powershell.exe 2308 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2440 DllCommonsvc.exe 2172 smss.exe 2384 smss.exe 1648 smss.exe 2356 smss.exe 2600 smss.exe 944 smss.exe 1484 smss.exe 2516 smss.exe 2264 smss.exe 2880 smss.exe 1928 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2968 cmd.exe 2968 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 23 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 36 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 9 raw.githubusercontent.com 20 raw.githubusercontent.com 33 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Google\taskhost.exe DllCommonsvc.exe File created C:\Program Files\Google\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files\Windows Journal\winlogon.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Journal\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\cc11b995f2a76d DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Panther\setup.exe\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\Panther\setup.exe\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Windows\de-DE\smss.exe DllCommonsvc.exe File created C:\Windows\de-DE\69ddcba757bf72 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1300 schtasks.exe 3016 schtasks.exe 2744 schtasks.exe 1804 schtasks.exe 3056 schtasks.exe 1744 schtasks.exe 2940 schtasks.exe 920 schtasks.exe 3004 schtasks.exe 2280 schtasks.exe 1276 schtasks.exe 2260 schtasks.exe 2720 schtasks.exe 2692 schtasks.exe 2992 schtasks.exe 2368 schtasks.exe 1448 schtasks.exe 2860 schtasks.exe 2724 schtasks.exe 2816 schtasks.exe 3052 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2440 DllCommonsvc.exe 2308 powershell.exe 2128 powershell.exe 2484 powershell.exe 1244 powershell.exe 2448 powershell.exe 2320 powershell.exe 2072 powershell.exe 2272 powershell.exe 2172 smss.exe 2384 smss.exe 1648 smss.exe 2356 smss.exe 2600 smss.exe 944 smss.exe 1484 smss.exe 2516 smss.exe 2264 smss.exe 2880 smss.exe 1928 smss.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2440 DllCommonsvc.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 1244 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 2172 smss.exe Token: SeDebugPrivilege 2384 smss.exe Token: SeDebugPrivilege 1648 smss.exe Token: SeDebugPrivilege 2356 smss.exe Token: SeDebugPrivilege 2600 smss.exe Token: SeDebugPrivilege 944 smss.exe Token: SeDebugPrivilege 1484 smss.exe Token: SeDebugPrivilege 2516 smss.exe Token: SeDebugPrivilege 2264 smss.exe Token: SeDebugPrivilege 2880 smss.exe Token: SeDebugPrivilege 1928 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1484 wrote to memory of 320 1484 JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe 31 PID 1484 wrote to memory of 320 1484 JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe 31 PID 1484 wrote to memory of 320 1484 JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe 31 PID 1484 wrote to memory of 320 1484 JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe 31 PID 320 wrote to memory of 2968 320 WScript.exe 32 PID 320 wrote to memory of 2968 320 WScript.exe 32 PID 320 wrote to memory of 2968 320 WScript.exe 32 PID 320 wrote to memory of 2968 320 WScript.exe 32 PID 2968 wrote to memory of 2440 2968 cmd.exe 34 PID 2968 wrote to memory of 2440 2968 cmd.exe 34 PID 2968 wrote to memory of 2440 2968 cmd.exe 34 PID 2968 wrote to memory of 2440 2968 cmd.exe 34 PID 2440 wrote to memory of 2484 2440 DllCommonsvc.exe 57 PID 2440 wrote to memory of 2484 2440 DllCommonsvc.exe 57 PID 2440 wrote to memory of 2484 2440 DllCommonsvc.exe 57 PID 2440 wrote to memory of 2128 2440 DllCommonsvc.exe 58 PID 2440 wrote to memory of 2128 2440 DllCommonsvc.exe 58 PID 2440 wrote to memory of 2128 2440 DllCommonsvc.exe 58 PID 2440 wrote to memory of 2308 2440 DllCommonsvc.exe 59 PID 2440 wrote to memory of 2308 2440 DllCommonsvc.exe 59 PID 2440 wrote to memory of 2308 2440 DllCommonsvc.exe 59 PID 2440 wrote to memory of 2072 2440 DllCommonsvc.exe 62 PID 2440 wrote to memory of 2072 2440 DllCommonsvc.exe 62 PID 2440 wrote to memory of 2072 2440 DllCommonsvc.exe 62 PID 2440 wrote to memory of 1244 2440 DllCommonsvc.exe 63 PID 2440 wrote to memory of 1244 2440 DllCommonsvc.exe 63 PID 2440 wrote to memory of 1244 2440 DllCommonsvc.exe 63 PID 2440 wrote to memory of 2448 2440 DllCommonsvc.exe 64 PID 2440 wrote to memory of 2448 2440 DllCommonsvc.exe 64 PID 2440 wrote to memory of 2448 2440 DllCommonsvc.exe 64 PID 2440 wrote to memory of 2320 2440 DllCommonsvc.exe 65 PID 2440 wrote to memory of 2320 2440 DllCommonsvc.exe 65 PID 2440 wrote to memory of 2320 2440 DllCommonsvc.exe 65 PID 2440 wrote to memory of 2272 2440 DllCommonsvc.exe 66 PID 2440 wrote to memory of 2272 2440 DllCommonsvc.exe 66 PID 2440 wrote to memory of 2272 2440 DllCommonsvc.exe 66 PID 2440 wrote to memory of 1000 2440 DllCommonsvc.exe 72 PID 2440 wrote to memory of 1000 2440 DllCommonsvc.exe 72 PID 2440 wrote to memory of 1000 2440 DllCommonsvc.exe 72 PID 1000 wrote to memory of 1808 1000 cmd.exe 75 PID 1000 wrote to memory of 1808 1000 cmd.exe 75 PID 1000 wrote to memory of 1808 1000 cmd.exe 75 PID 1000 wrote to memory of 2172 1000 cmd.exe 76 PID 1000 wrote to memory of 2172 1000 cmd.exe 76 PID 1000 wrote to memory of 2172 1000 cmd.exe 76 PID 2172 wrote to memory of 2948 2172 smss.exe 77 PID 2172 wrote to memory of 2948 2172 smss.exe 77 PID 2172 wrote to memory of 2948 2172 smss.exe 77 PID 2948 wrote to memory of 920 2948 cmd.exe 79 PID 2948 wrote to memory of 920 2948 cmd.exe 79 PID 2948 wrote to memory of 920 2948 cmd.exe 79 PID 2948 wrote to memory of 2384 2948 cmd.exe 80 PID 2948 wrote to memory of 2384 2948 cmd.exe 80 PID 2948 wrote to memory of 2384 2948 cmd.exe 80 PID 2384 wrote to memory of 884 2384 smss.exe 81 PID 2384 wrote to memory of 884 2384 smss.exe 81 PID 2384 wrote to memory of 884 2384 smss.exe 81 PID 884 wrote to memory of 2188 884 cmd.exe 83 PID 884 wrote to memory of 2188 884 cmd.exe 83 PID 884 wrote to memory of 2188 884 cmd.exe 83 PID 884 wrote to memory of 1648 884 cmd.exe 84 PID 884 wrote to memory of 1648 884 cmd.exe 84 PID 884 wrote to memory of 1648 884 cmd.exe 84 PID 1648 wrote to memory of 2584 1648 smss.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tAV1Y7tqnp.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1808
-
-
C:\Windows\de-DE\smss.exe"C:\Windows\de-DE\smss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:920
-
-
C:\Windows\de-DE\smss.exe"C:\Windows\de-DE\smss.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2188
-
-
C:\Windows\de-DE\smss.exe"C:\Windows\de-DE\smss.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"11⤵PID:2584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1484
-
-
C:\Windows\de-DE\smss.exe"C:\Windows\de-DE\smss.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat"13⤵PID:2692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2204
-
-
C:\Windows\de-DE\smss.exe"C:\Windows\de-DE\smss.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"15⤵PID:1612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1780
-
-
C:\Windows\de-DE\smss.exe"C:\Windows\de-DE\smss.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"17⤵PID:2476
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1648
-
-
C:\Windows\de-DE\smss.exe"C:\Windows\de-DE\smss.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat"19⤵PID:1396
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:900
-
-
C:\Windows\de-DE\smss.exe"C:\Windows\de-DE\smss.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"21⤵PID:2268
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2532
-
-
C:\Windows\de-DE\smss.exe"C:\Windows\de-DE\smss.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"23⤵PID:2008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2656
-
-
C:\Windows\de-DE\smss.exe"C:\Windows\de-DE\smss.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"25⤵PID:2984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2736
-
-
C:\Windows\de-DE\smss.exe"C:\Windows\de-DE\smss.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Google\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\setup.exe\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\setup.exe\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD530e0a72f963f5a4db44beb47abb36207
SHA1496e523d24c8e6d52baae0ee4cf3610b9f2b9f2f
SHA25629ccd554c5b11b41367d20a2bf603f75e7d53bf7ca1475ffa081844d2ffa81ff
SHA5125dd36a32b8de1ff43f4964adf5ca666dd43209d4f3e2c26dbdcdf7d226728ec6483f5621a19b09b78a09e9d3c1fbb080fe4d75be26a76825388a82ae7369dba4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD559d18e49f207baf3741e0582b7fb1ee7
SHA14fe09cb284e0181e8b974137e59acd531ff948ff
SHA256a491639c031d601e0186bf0fb7aa65857c44dccb549521512b14293e8196686b
SHA51295060131e10212b1598489c7c54ce621a43c89db08f23e8daba8a80bfa45a0949eecf1bbd9013775c32cf0f9b9db879adfd2f7228563238eb492ffd40edfb34c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d5d61542cf4d3e9b9e3f16dcc36e8e3c
SHA1092c8656f836642893b325bfd011144306c78c43
SHA2569e1ea79c780382836a3d7bb4a8200c49a3487f0e03f07ca82424d549ba51ab02
SHA5128ec5ba3441386972da49e5eb3328339616822fb97a1af86bb36dfd8d3e2e6be40ec9f7131b82530b62239f86ba7e6d7956ece27b6ec7b238ff9dd778d75909ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d5e0b30b898042f0f242df540b1789ad
SHA1e6993aa43ea970720961c8cc01d6357bcd394c57
SHA2569ce1606f9153eb8dabeaf47a0a699bc8d7cc65bdab9f311f6085d6716a0e5b86
SHA5121763ae93738cdf84d0ff414e16ae77466b3e0f617a30df264ca1c9f7a325a70eefb17f24f2578e6c0844e1e51a4959dc622f037f5815d87f942bbe979197eff6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54d39a92e2825d2f45c462e23f03ba193
SHA1441c8e1b8c54a7bc190b7fa75d18012caaf34288
SHA256245da4b94ce373c6a67b92e0939fc38399c026da83b7484bb48ca8b37fd4dc78
SHA5120f9a22d9bf51bdef2908e62cc0a7b059782f9a7791a3eab5b8525a628ed6e3c99443b21816bc83a7e2e12f8d1bae16b7758ed02f66251d72fff41e21f175d744
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5461ba7caa2769b854fab1ef3e4d0ecec
SHA176d6c3294cc32700918afe2eb3d714aeabd0e57d
SHA256273cc5a259d8fdb9f867e74d04976d27c53b854d9155ad16d23ebd83f7e94cbf
SHA512b19f0a16e3140ddcd440d14ac3fc6f6170f12dc33415b8a85ded8517021ee76ec62f022b23789630b87419942d531b8a6c12378a561fcccf7e116ce0f35684f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51136214d365bc2143abb3e0a103a7136
SHA104096a3b47d5dc4d85957de6ae88703e99dfb746
SHA256043fd93f91e90f4fd8cf26cd3339d652641f1c8ae2e812ffc13453bd56398134
SHA5124d37d384c2ee860706e4fe6cddd911aa86d5edef77ca8d232003fcef3e904dbd44b7135ae9f310d3897ef20aa7a7d2e9512ee41e033f89366f246e8a52c168f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f54bbe74e7438713a56637d3a0344f44
SHA114f0e6022e9b6c98210907b15b2fe9e399afdb25
SHA2563fab341da6aa8d9e4739622aa437edbc085a1587de25b14ed4c2fd1726da78c9
SHA512f3e994d77f253870dbe62718735a6a79215f31f8312937abd2ee564c226d8817c0a9aa19901520aa628ff4cd6f17cd3f9ee5c409a910bd5fd5f2c0acaddb3432
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5583e83a87cb43f3cd71cce532a2b7135
SHA164729ae98b02d4e506f87221a0b277106ea91607
SHA256fb87d18faf976b16227b7feb8ccc46e3a6ef65c492418b62239394c60abbbf4b
SHA5126168bb0d79fbd74ff689e146f33765427dfe6907eb10d9727078e1a4c9d972344776f2adbe6167ecfcba2fc6914a08a05715764b9bc54cbabf3003e621946b23
-
Filesize
190B
MD585ab83617f4809cc385cb47c0751210d
SHA1da04f4d51998cd8650d61e2767eff8639f6f1ede
SHA2565fc826a6733c9900ed2394e60714d328b6c645001825501d519ac1ab343ae92e
SHA5129e1d2609035561e1a707f16425f1fa998987a463254fd9a2aa25d7fb9baa116752ca5bd8b2ebdf6c6f5997d357d522d249052604232586f6287e2b516800868c
-
Filesize
190B
MD5ead72e070ebfcff49815f6be9c551aa3
SHA116ff6b011b4bbde986c8be205840a81151e0b431
SHA2566eb7111a3a7df9cf75e01cdeaeb4cd838021f5645d60797f6a7596e24a25d919
SHA512955ec192d79a8dee3d7ff93c01c6c7595fc740329910cc536561b92d35fc8d006501c0b2f76d66471f02d7e487bab7fa495b4edb2fa7def2259af6f73aed1e7b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
190B
MD54b86d741824b6c58d964f6db6fa1f1bb
SHA1fde25e39da15583d84798eb1fa8b6e9de09e4612
SHA25622cc4a83ff06aa6c217b02f1ca46459184467d618a86e13d1c66a78981190515
SHA5125734c58834f5faf0fa7e3ff2acf2b856ad992e3a4900567ca33e107fb9b4888ad5f2293f488de2b1b047df3b7b36dc403a157dde37351b98eb362970d3cceae9
-
Filesize
190B
MD572f54743b6d8c4eefd7bc93ba058e399
SHA1a98e72fcdf4782a4d0ae7dac6926dad47476b95f
SHA256c91c8adb190d416e266fb9c346c5c488e162ed23e4a8d13de52a7e3f3a26c795
SHA512f7e2b7981b9889f235d11c50ecc9c4925aa2ac9d4e96fd80ad12c13b8c98efe778564bc91a00c6caf3ef2960d62bc4ba1df7eece2084548c39109ce572023936
-
Filesize
190B
MD541be8c7cb40542624221b291b64a714c
SHA1c9bcacc38a70049df0642bfa6ca1e942508c3057
SHA256b8fb7ed0f3836771252848d209c2ccfd5ee5c68b8ed313f19a1bf329c2824f98
SHA512ce2c8962f47fd3fb28d9ee419a71e5598be5c9024b8a5256d2a261ad5114a9c85fe81d8317c33dde6bf8937b8e9056a6b954785a98db5b0e96326e254897c652
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
190B
MD5182326d93f6160edc3bd98bf5cb468b5
SHA126d1d507b257d1d6689c87f85e2884015bec6f01
SHA256f2aac45564291e54d834e9ebc1dc040c1f951bb5f19cf45f58695d7982bcd197
SHA51224c484192cfff1c3b1f30787ab87a72a10fdf21f70f0ce9b500d895ff9d3e852ef29ba878891ba4a77ad5cfe24aeb73d405b65c5a705faf246b5107d73a1e4ee
-
Filesize
190B
MD5054cf9d68e4e297c6fd9ed83d36dd2cc
SHA181e1f8a1f82dba3d84d4677f4a7df9ec1b0e7fea
SHA25617318dc2d4cff73478ff00e59da719223411cb8487a1dfbbb28911fa5490df26
SHA51218aab295acd92c912f7c6038d16d5191f72b1cb4e92ddd3de5d74161d5bec95761473667e742753c58f24cfe0b0c7c668718dd3c66af3bdcc74554c70d53c5f9
-
Filesize
190B
MD58705334ae6478da8e18e66e24f79f0bf
SHA170adb978844dc0fe6caba9237d30851831170e01
SHA25692b3a2220b477801dac0f653d1417d40a5dbe7b3141382e313e3aaf3e1b9476a
SHA51288d38c239316d1bf77c62280a9901d4207ec6b5637415b1c434adb7cdd085854481652d073bfb0b577dc8c6723d991442790e3ef1d795e4c4c8ab6d4ef392957
-
Filesize
190B
MD5841ae14d89e3ed2641ee1b5791dabf76
SHA1ffc9ecc87b3e871ab5036106042d4595d65cff1a
SHA256576e254a479ac4be3e57591a386782837d30c262187fda3fb563d4b532604916
SHA512f9ab3ae874a6e8c1753328d69f97111255d40fa16df2d572e7f68fbaeec9d1e3c44518efd99d0e8a0fef4ce5f5c67189985ead6738b30a123514eb1fb4c797b1
-
Filesize
190B
MD5327223ff0a699811119665ebd191dd5a
SHA1ab1f87ae3fcfe40ef66235acb4457fa8eac688e0
SHA2568c769ca16012b40d489ccfd125d6833b9a7fc4252a350e38743a34bdcb126de8
SHA512183a4fe21c1f550233d6b17938471f72e2ccdf0af0953b029e33daf9cc0b73ae7f71e48b72890e6c8a89a9d8fd377e795f998e02bd8f1f6f642d8ac8854bc34b
-
Filesize
190B
MD5d5e8b33070c23cedd0596f61a579304c
SHA119c33b34618b85a6523d72e5c02a65f232ad1011
SHA256c82c9a9f3758cc3137f4bd2cbc772de032883aaaf5f92c568df4eb6eaaeb5033
SHA5120f3a135314c174c7fd56a2fad9615dd2f9aa918c3c0e9ef6c82321c511ae5bd48e98a4f576e53cec7d0f67a661c91791cbafaaf04d978a6e59d90e82f3bc1b13
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51d97a3f33c6fde220a6b0810129c3325
SHA1add5663d750aa66510ce2bf746c5e87f92370c7d
SHA256c1cd388ce87bf60e58847ab7ecb57b15a18d667daa818bb75cb524487141d9a7
SHA5123e322c3b85e676567483127fad03ee522b5dd6e9d55d42c1c97b03a22038f12dfde4215ca600fe5f757811a8ab495e45e967df7bb848d6beb4cb8d35c5fa4199
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394