Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 04:24
Behavioral task
behavioral1
Sample
JaffaCakes118_b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9.exe
-
Size
1.3MB
-
MD5
770d1c4cb7c77341141b83eee8352d98
-
SHA1
97b07ebc82744510332c8c451e78821d2a8a8ff3
-
SHA256
b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9
-
SHA512
c160acca3ddec0ff01ce70f026982c1e9583d6dd4aa26de6fe9e3326706e75236cfac39a0715579264e683776ea3f25905a070385d2f60a4e71f5f748e479d17
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 824 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2576 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2576 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000016334-9.dat dcrat behavioral1/memory/3048-13-0x0000000000AD0000-0x0000000000BE0000-memory.dmp dcrat behavioral1/memory/1320-66-0x0000000000860000-0x0000000000970000-memory.dmp dcrat behavioral1/memory/2616-125-0x00000000008E0000-0x00000000009F0000-memory.dmp dcrat behavioral1/memory/2088-185-0x0000000000980000-0x0000000000A90000-memory.dmp dcrat behavioral1/memory/1544-245-0x00000000010B0000-0x00000000011C0000-memory.dmp dcrat behavioral1/memory/1092-306-0x0000000001210000-0x0000000001320000-memory.dmp dcrat behavioral1/memory/1100-543-0x0000000000250000-0x0000000000360000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1636 powershell.exe 2544 powershell.exe 1696 powershell.exe 2248 powershell.exe 1632 powershell.exe 1192 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 3048 DllCommonsvc.exe 1320 dwm.exe 2616 dwm.exe 2088 dwm.exe 1544 dwm.exe 1092 dwm.exe 2772 dwm.exe 2648 dwm.exe 2432 dwm.exe 1100 dwm.exe -
Loads dropped DLL 2 IoCs
pid Process 2408 cmd.exe 2408 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 4 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 19 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24 DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Tasks\DllCommonsvc.exe DllCommonsvc.exe File opened for modification C:\Windows\Tasks\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\Tasks\a76d7bf15d8370 DllCommonsvc.exe File created C:\Windows\de-DE\cmd.exe DllCommonsvc.exe File created C:\Windows\de-DE\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\Registration\dwm.exe DllCommonsvc.exe File created C:\Windows\Registration\6cb0b6c459d5d3 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 824 schtasks.exe 1752 schtasks.exe 2656 schtasks.exe 2168 schtasks.exe 2392 schtasks.exe 628 schtasks.exe 2028 schtasks.exe 2720 schtasks.exe 2700 schtasks.exe 2748 schtasks.exe 2828 schtasks.exe 2532 schtasks.exe 2632 schtasks.exe 2736 schtasks.exe 2744 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3048 DllCommonsvc.exe 3048 DllCommonsvc.exe 3048 DllCommonsvc.exe 2248 powershell.exe 1192 powershell.exe 2544 powershell.exe 1632 powershell.exe 1696 powershell.exe 1636 powershell.exe 1320 dwm.exe 2616 dwm.exe 2088 dwm.exe 1544 dwm.exe 1092 dwm.exe 2772 dwm.exe 2648 dwm.exe 2432 dwm.exe 1100 dwm.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3048 DllCommonsvc.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeDebugPrivilege 1192 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 1320 dwm.exe Token: SeDebugPrivilege 2616 dwm.exe Token: SeDebugPrivilege 2088 dwm.exe Token: SeDebugPrivilege 1544 dwm.exe Token: SeDebugPrivilege 1092 dwm.exe Token: SeDebugPrivilege 2772 dwm.exe Token: SeDebugPrivilege 2648 dwm.exe Token: SeDebugPrivilege 2432 dwm.exe Token: SeDebugPrivilege 1100 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1744 wrote to memory of 856 1744 JaffaCakes118_b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9.exe 28 PID 1744 wrote to memory of 856 1744 JaffaCakes118_b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9.exe 28 PID 1744 wrote to memory of 856 1744 JaffaCakes118_b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9.exe 28 PID 1744 wrote to memory of 856 1744 JaffaCakes118_b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9.exe 28 PID 856 wrote to memory of 2408 856 WScript.exe 29 PID 856 wrote to memory of 2408 856 WScript.exe 29 PID 856 wrote to memory of 2408 856 WScript.exe 29 PID 856 wrote to memory of 2408 856 WScript.exe 29 PID 2408 wrote to memory of 3048 2408 cmd.exe 31 PID 2408 wrote to memory of 3048 2408 cmd.exe 31 PID 2408 wrote to memory of 3048 2408 cmd.exe 31 PID 2408 wrote to memory of 3048 2408 cmd.exe 31 PID 3048 wrote to memory of 1636 3048 DllCommonsvc.exe 48 PID 3048 wrote to memory of 1636 3048 DllCommonsvc.exe 48 PID 3048 wrote to memory of 1636 3048 DllCommonsvc.exe 48 PID 3048 wrote to memory of 2544 3048 DllCommonsvc.exe 49 PID 3048 wrote to memory of 2544 3048 DllCommonsvc.exe 49 PID 3048 wrote to memory of 2544 3048 DllCommonsvc.exe 49 PID 3048 wrote to memory of 1696 3048 DllCommonsvc.exe 50 PID 3048 wrote to memory of 1696 3048 DllCommonsvc.exe 50 PID 3048 wrote to memory of 1696 3048 DllCommonsvc.exe 50 PID 3048 wrote to memory of 1192 3048 DllCommonsvc.exe 51 PID 3048 wrote to memory of 1192 3048 DllCommonsvc.exe 51 PID 3048 wrote to memory of 1192 3048 DllCommonsvc.exe 51 PID 3048 wrote to memory of 1632 3048 DllCommonsvc.exe 52 PID 3048 wrote to memory of 1632 3048 DllCommonsvc.exe 52 PID 3048 wrote to memory of 1632 3048 DllCommonsvc.exe 52 PID 3048 wrote to memory of 2248 3048 DllCommonsvc.exe 53 PID 3048 wrote to memory of 2248 3048 DllCommonsvc.exe 53 PID 3048 wrote to memory of 2248 3048 DllCommonsvc.exe 53 PID 3048 wrote to memory of 1788 3048 DllCommonsvc.exe 57 PID 3048 wrote to memory of 1788 3048 DllCommonsvc.exe 57 PID 3048 wrote to memory of 1788 3048 DllCommonsvc.exe 57 PID 1788 wrote to memory of 2076 1788 cmd.exe 62 PID 1788 wrote to memory of 2076 1788 cmd.exe 62 PID 1788 wrote to memory of 2076 1788 cmd.exe 62 PID 1788 wrote to memory of 1320 1788 cmd.exe 63 PID 1788 wrote to memory of 1320 1788 cmd.exe 63 PID 1788 wrote to memory of 1320 1788 cmd.exe 63 PID 1320 wrote to memory of 2860 1320 dwm.exe 66 PID 1320 wrote to memory of 2860 1320 dwm.exe 66 PID 1320 wrote to memory of 2860 1320 dwm.exe 66 PID 2860 wrote to memory of 3064 2860 cmd.exe 68 PID 2860 wrote to memory of 3064 2860 cmd.exe 68 PID 2860 wrote to memory of 3064 2860 cmd.exe 68 PID 2860 wrote to memory of 2616 2860 cmd.exe 69 PID 2860 wrote to memory of 2616 2860 cmd.exe 69 PID 2860 wrote to memory of 2616 2860 cmd.exe 69 PID 2616 wrote to memory of 2204 2616 dwm.exe 70 PID 2616 wrote to memory of 2204 2616 dwm.exe 70 PID 2616 wrote to memory of 2204 2616 dwm.exe 70 PID 2204 wrote to memory of 2396 2204 cmd.exe 72 PID 2204 wrote to memory of 2396 2204 cmd.exe 72 PID 2204 wrote to memory of 2396 2204 cmd.exe 72 PID 2204 wrote to memory of 2088 2204 cmd.exe 73 PID 2204 wrote to memory of 2088 2204 cmd.exe 73 PID 2204 wrote to memory of 2088 2204 cmd.exe 73 PID 2088 wrote to memory of 1140 2088 dwm.exe 74 PID 2088 wrote to memory of 1140 2088 dwm.exe 74 PID 2088 wrote to memory of 1140 2088 dwm.exe 74 PID 1140 wrote to memory of 1924 1140 cmd.exe 76 PID 1140 wrote to memory of 1924 1140 cmd.exe 76 PID 1140 wrote to memory of 1924 1140 cmd.exe 76 PID 1140 wrote to memory of 1544 1140 cmd.exe 77 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wMvxJuE7fS.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2076
-
-
C:\Windows\Registration\dwm.exe"C:\Windows\Registration\dwm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3064
-
-
C:\Windows\Registration\dwm.exe"C:\Windows\Registration\dwm.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2396
-
-
C:\Windows\Registration\dwm.exe"C:\Windows\Registration\dwm.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1924
-
-
C:\Windows\Registration\dwm.exe"C:\Windows\Registration\dwm.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"13⤵PID:2932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:876
-
-
C:\Windows\Registration\dwm.exe"C:\Windows\Registration\dwm.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"15⤵PID:3036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3012
-
-
C:\Windows\Registration\dwm.exe"C:\Windows\Registration\dwm.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat"17⤵PID:692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:288
-
-
C:\Windows\Registration\dwm.exe"C:\Windows\Registration\dwm.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"19⤵PID:3052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2032
-
-
C:\Windows\Registration\dwm.exe"C:\Windows\Registration\dwm.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"21⤵PID:2476
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1988
-
-
C:\Windows\Registration\dwm.exe"C:\Windows\Registration\dwm.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\de-DE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59aab1ba69e3584ca4b18aa806491bd64
SHA1911a39f96795aff2679ec17e344c8afabb78cf81
SHA256cd2bc65889e111085da4ce67409d2925565f141fdcbdab218d5fc33788007f90
SHA512157e524091dd555d1529c511c4204fcc2fb6b3ff493302a185ab18dd075607e8d8f9995cff6daeb6e04e64d71c3f3afbb5097320ad91f55a1ffce78bd380d0dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5854269d8dda512aa1a115f8bdf933117
SHA12a551407994dd817468f6487e969579e89ec849c
SHA25664bbe52ae1c2945001459ac320a1ce6e5c9b5cb4b3da5b4c1490a01f5b6574f3
SHA51204bee9a7aa7a60b37adce7ad3fac387da8bc9db5d1abf2af3cd7e768ca4139bae47aab0de7509b082c1652f3aadaa1c19647ceba8417f6ce81978e896a9ae6a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f5b51b57df58af41a213c41b759dba34
SHA10f99c8a9095b380108c4d64ae403afd715b63a54
SHA256f8bcc7f44020ae95b957126d7ca89aa92ff0d8a3d78ae75826669df42aa7b0d3
SHA5124e00d64b20b32664e21b50fa9e1d5984cd71dd6c6aa71352d551f749406ca0745ff238cb988c8efaef83abf3261c25e6fe7dfbec496bfc98a3a10e9517b1defd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8d2e0e4661c098f80dbecb0bd525d31
SHA1474b6349dea2162ce655c08725945e01e985c909
SHA256108a940390aed971d7f3c69336a09107ff8bc78fc4f3e8e3f982cf9c85fdea8e
SHA51252d10495c155b8b1ada2fd32fe04789d3d0a8ec301bf0a3c82b9741212239eca3cd97e39aacc2d879d3d26d966ee89b79357c2bd882791fefbf5b146f478742d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fa83c8c56819a411c33ce9eb76f859cc
SHA1a780fc40e3b6a1388b0a6876e5c27a18e2f40bb1
SHA25642b947f462e83dbe0420cc8a4bd1066defa25aa45f108a76a395b9c7514b5670
SHA51244d362f287b4678ed366bd1a55aa07fa9ab62e9ba73f432d0ade341e2b921ea27fca8ba4c86e16096c8d888b570d9670695a3db14666b5f517b41ae198711288
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD595481cebc8ee467d0c4a7a7e3b3004ab
SHA130427c18b93bfffd585fcbce5a6fbbcc561eabbe
SHA256c16d95771a0586cc855d51354b14221924ba0cc418af0bcb794b531259510fe3
SHA512251d466ff52467497079f44c66611459559768d2a2737251ea605dcd95caabc1bfd7c4a25e9906910538004a9787805ee0eceb406882fd0df214d2b80f3b4359
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a064165a1141734e503058f9a9c06b99
SHA1db1939b5b2c9a57ae0e891f9542ebbc29345cd57
SHA256419ddf4851cd9ce412ce2b146127e3e061e55c29edab34f0dc72fd510cbd02ca
SHA512795b624033aab6f7572b4c0b2d739ee7d3888c4d0867ec1c3f1ba393271a07d7b21b25f5a1a81ee3765504fcd7649980152953c8ffe93cbf59d7f4c99a4b0118
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53e49eed2814144d69e6335561034635a
SHA18fcaefcee80a909216510e5da3a43e34cbf09d6f
SHA256f8ed5080c910a27e14901055bf697b15d7be2c389ccdce3813d5b7f0502f0001
SHA5126474b21e2f5410cd3811144d322d9a34f9cccb9e8b32085200607d8281a5481e4d0be2db6134ec56c15b88b3d5d867d246b799cde54d09555ae4a4c78fd168c3
-
Filesize
196B
MD58828d3001a0bc750c6ca5c3d1750f602
SHA1d9bbff3dd358aceecd25723276bd6ab94c1b3dfe
SHA25643758a38de73043fe1e4055d12ede4e1bcbe60c29205984fb3678f077ccea9a4
SHA5126d1edf6537b292d37978bd319b78487414d01ed6e6e47c90247b222281d35e5d13eca61a678f78c087bf770b766c142b0bc9b8ffe46b5e5f227c1139d45d502b
-
Filesize
196B
MD5454122dc9b11b5202b32dc8ea693f6d9
SHA17dbb76d0c2e0be65d3c99474d762c464033b4fe2
SHA2568dfc17bfc8e3042c9a7e24b42451a2ae87e5591425c7bafdcd1a554ef73b1860
SHA512b3bc7ed78f76c4e35b0135f31a68f92a8444274c57b7d4b53b84be675066b27d2966c5a6dd10bcd8d78e2dbde72969d5ff4d88081e0b5b1481d92077d2a4b94b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
196B
MD5fd54f31de65c5654672e2170442f3ee2
SHA11d2410cd89e3d2eeb9fa5f7f34bbd79890305d38
SHA2567942b38b742dfd4d908021ce93344c984a0c8119a85998b3682a3ae8fdea2212
SHA5126250001f8bde11b5b7e1112b0fdddba377c40bda6c0f81637eab7b839b036c1228c7874a48846c61b4c2f43173dc789f89b9b10bbb915b50500eb4d6443e3ce9
-
Filesize
196B
MD532d1a380cde782e33348fe41f3a2fc05
SHA1dc0dfe476776a6f127034e4fa83bcdc56e14cbed
SHA2562da2cc9f80084c9bbad7e4a6630a29933f13c0a7d64382fc15993e6ccd8e28f9
SHA5123d39b359b292c10cb3c50cd47ba8493ed667c3ba4e96536c8bf21ded0f353ce6c676daa6d129fc5eeed8d0ae2878e1ce305555b778c6890d613e1db737758cd1
-
Filesize
196B
MD5d53323c37163d44f466d4d16a878256c
SHA11d1dbd255fc64de89d438c5591526a716bf2b9c9
SHA256157a39bcd1360d9d5f6f4bd4aec904c1b3f5517295d3f6ce6ca3ee09875ff9fe
SHA51207238cc0d71f123cf0a97ae535dd4f93bef421c7949bbbcef40c2015a9c952903eb660d9a71f34cc1d96158d04516ccc03ac0c75b693915d266ab039e71f0ed0
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
196B
MD51b30d068361ca4e331ac879ba28010c2
SHA18d2ebfabcab30d645517cc742420b58cffd34bbe
SHA256c071526ae4d681f8b83ed496124b783e383955083719fad85e36e763e3697f2a
SHA5127c34035f90e0eba755400edc3af43220fbaf93e1e098604b27757e890f7717c1e52182bba326faacbf1c2d0169e5ffe49db5527ea1a2fff2eb6e43038529e460
-
Filesize
196B
MD57cba9954f518d22b842b7e5956019bc0
SHA1cd62dc7bbb6c48eb8207894d6a213379f7e4b84b
SHA2567278f9112468781fb68ce9cf9c9c231e78607c08ebce94e6a58aa8dfa63d54b4
SHA51260e998b4093244e44d41f4dd31441b3eb33e6316b1580bbab070519600780df7a0b3897a79c011c802bfb1127bb9ee7c521cd26e25efa0e02a55327697573a49
-
Filesize
196B
MD5d70dc6e5696cde68608d8f92950920c9
SHA10dbda9a82922c35f5671ef78364c648f6895c89f
SHA2567b22e0e39ef0f0b484cac43713b3a6a4a784a87af78bca5423a33430521827a6
SHA512c0aa64b616b97ffc4d47f0caa947d7bf39f785caa2d7e95acac190617fb30512ca4d46d516ecbe376d226188864859a0735b2e63ddf5454b6872cce208c7002c
-
Filesize
196B
MD515c32c07d78ef88454940759c671c811
SHA165028bd80ce83a06c40daf39eb67c7d789bf6b16
SHA256222508fba5680cf9dc795b02da1e1ff593dcd8b5d666d8b01398a2a16e40065a
SHA5121011b6201ce142c473402b54fd9104ca141fbac3811a08550e9e984718fb1be9e041f478ac0ba9c54f3147faf999fe1157e6b81c45866dfb53b11ced0581c014
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae583973d635165b6e5192283d987ebd
SHA1275414b184abecae367cf6cb08be7093f34c303d
SHA2567708bd611ae9f25478fd9c86322bc1741da0154cc8e3ab2b1037c6dca679a484
SHA5124149e79196be86d8f7e89545dbd31c82423a0f243f65dda09067503de2f5bc8f895ae4d105b47d3195d8d8cc1665e27aaf1d7ce79001ac9d6be3949cb8689c57
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394