Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:41
Behavioral task
behavioral1
Sample
JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe
-
Size
1.3MB
-
MD5
71307fc13b2659f3cdc5e19f3823d738
-
SHA1
3d63ad7172e5fe0f607d1ca5575c3cf772bbaac6
-
SHA256
3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428
-
SHA512
07192db7b6c744868c70712bd8629b64d067ff150a2029394cf5fff2319e7171088c709204f45367329bf775f898608e7dea2008d3a448d471da394524259c10
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 296 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2540 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016d2e-10.dat dcrat behavioral1/memory/2120-13-0x0000000000870000-0x0000000000980000-memory.dmp dcrat behavioral1/memory/1348-34-0x0000000001310000-0x0000000001420000-memory.dmp dcrat behavioral1/memory/2936-539-0x00000000013D0000-0x00000000014E0000-memory.dmp dcrat behavioral1/memory/1732-599-0x00000000003F0000-0x0000000000500000-memory.dmp dcrat behavioral1/memory/1780-659-0x0000000000CF0000-0x0000000000E00000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3060 powershell.exe 2224 powershell.exe 2968 powershell.exe 576 powershell.exe 2424 powershell.exe 2956 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2120 DllCommonsvc.exe 1348 cmd.exe 2704 cmd.exe 2372 cmd.exe 2776 cmd.exe 1592 cmd.exe 1612 cmd.exe 1676 cmd.exe 1156 cmd.exe 2936 cmd.exe 1732 cmd.exe 1780 cmd.exe 844 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2744 cmd.exe 2744 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 22 raw.githubusercontent.com 38 raw.githubusercontent.com 35 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ebf1f9fa8afd6d DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe DllCommonsvc.exe File created C:\Windows\Resources\Themes\Aero\de-DE\b75386f1303e64 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2780 schtasks.exe 2868 schtasks.exe 2276 schtasks.exe 1460 schtasks.exe 296 schtasks.exe 2584 schtasks.exe 2960 schtasks.exe 2864 schtasks.exe 1096 schtasks.exe 2672 schtasks.exe 1796 schtasks.exe 1896 schtasks.exe 2236 schtasks.exe 2616 schtasks.exe 1160 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2120 DllCommonsvc.exe 2224 powershell.exe 2968 powershell.exe 3060 powershell.exe 576 powershell.exe 2424 powershell.exe 2956 powershell.exe 1348 cmd.exe 2704 cmd.exe 2372 cmd.exe 2776 cmd.exe 1592 cmd.exe 1612 cmd.exe 1676 cmd.exe 1156 cmd.exe 2936 cmd.exe 1732 cmd.exe 1780 cmd.exe 844 cmd.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2120 DllCommonsvc.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 1348 cmd.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 2704 cmd.exe Token: SeDebugPrivilege 2372 cmd.exe Token: SeDebugPrivilege 2776 cmd.exe Token: SeDebugPrivilege 1592 cmd.exe Token: SeDebugPrivilege 1612 cmd.exe Token: SeDebugPrivilege 1676 cmd.exe Token: SeDebugPrivilege 1156 cmd.exe Token: SeDebugPrivilege 2936 cmd.exe Token: SeDebugPrivilege 1732 cmd.exe Token: SeDebugPrivilege 1780 cmd.exe Token: SeDebugPrivilege 844 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1508 wrote to memory of 1856 1508 JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe 31 PID 1508 wrote to memory of 1856 1508 JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe 31 PID 1508 wrote to memory of 1856 1508 JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe 31 PID 1508 wrote to memory of 1856 1508 JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe 31 PID 1856 wrote to memory of 2744 1856 WScript.exe 32 PID 1856 wrote to memory of 2744 1856 WScript.exe 32 PID 1856 wrote to memory of 2744 1856 WScript.exe 32 PID 1856 wrote to memory of 2744 1856 WScript.exe 32 PID 2744 wrote to memory of 2120 2744 cmd.exe 34 PID 2744 wrote to memory of 2120 2744 cmd.exe 34 PID 2744 wrote to memory of 2120 2744 cmd.exe 34 PID 2744 wrote to memory of 2120 2744 cmd.exe 34 PID 2120 wrote to memory of 2956 2120 DllCommonsvc.exe 51 PID 2120 wrote to memory of 2956 2120 DllCommonsvc.exe 51 PID 2120 wrote to memory of 2956 2120 DllCommonsvc.exe 51 PID 2120 wrote to memory of 3060 2120 DllCommonsvc.exe 52 PID 2120 wrote to memory of 3060 2120 DllCommonsvc.exe 52 PID 2120 wrote to memory of 3060 2120 DllCommonsvc.exe 52 PID 2120 wrote to memory of 2224 2120 DllCommonsvc.exe 53 PID 2120 wrote to memory of 2224 2120 DllCommonsvc.exe 53 PID 2120 wrote to memory of 2224 2120 DllCommonsvc.exe 53 PID 2120 wrote to memory of 2968 2120 DllCommonsvc.exe 54 PID 2120 wrote to memory of 2968 2120 DllCommonsvc.exe 54 PID 2120 wrote to memory of 2968 2120 DllCommonsvc.exe 54 PID 2120 wrote to memory of 576 2120 DllCommonsvc.exe 55 PID 2120 wrote to memory of 576 2120 DllCommonsvc.exe 55 PID 2120 wrote to memory of 576 2120 DllCommonsvc.exe 55 PID 2120 wrote to memory of 2424 2120 DllCommonsvc.exe 56 PID 2120 wrote to memory of 2424 2120 DllCommonsvc.exe 56 PID 2120 wrote to memory of 2424 2120 DllCommonsvc.exe 56 PID 2120 wrote to memory of 1348 2120 DllCommonsvc.exe 63 PID 2120 wrote to memory of 1348 2120 DllCommonsvc.exe 63 PID 2120 wrote to memory of 1348 2120 DllCommonsvc.exe 63 PID 1348 wrote to memory of 2856 1348 cmd.exe 64 PID 1348 wrote to memory of 2856 1348 cmd.exe 64 PID 1348 wrote to memory of 2856 1348 cmd.exe 64 PID 2856 wrote to memory of 2280 2856 cmd.exe 66 PID 2856 wrote to memory of 2280 2856 cmd.exe 66 PID 2856 wrote to memory of 2280 2856 cmd.exe 66 PID 2856 wrote to memory of 2704 2856 cmd.exe 67 PID 2856 wrote to memory of 2704 2856 cmd.exe 67 PID 2856 wrote to memory of 2704 2856 cmd.exe 67 PID 2704 wrote to memory of 1816 2704 cmd.exe 68 PID 2704 wrote to memory of 1816 2704 cmd.exe 68 PID 2704 wrote to memory of 1816 2704 cmd.exe 68 PID 1816 wrote to memory of 2848 1816 cmd.exe 70 PID 1816 wrote to memory of 2848 1816 cmd.exe 70 PID 1816 wrote to memory of 2848 1816 cmd.exe 70 PID 1816 wrote to memory of 2372 1816 cmd.exe 71 PID 1816 wrote to memory of 2372 1816 cmd.exe 71 PID 1816 wrote to memory of 2372 1816 cmd.exe 71 PID 2372 wrote to memory of 552 2372 cmd.exe 72 PID 2372 wrote to memory of 552 2372 cmd.exe 72 PID 2372 wrote to memory of 552 2372 cmd.exe 72 PID 552 wrote to memory of 3060 552 cmd.exe 74 PID 552 wrote to memory of 3060 552 cmd.exe 74 PID 552 wrote to memory of 3060 552 cmd.exe 74 PID 552 wrote to memory of 2776 552 cmd.exe 75 PID 552 wrote to memory of 2776 552 cmd.exe 75 PID 552 wrote to memory of 2776 552 cmd.exe 75 PID 2776 wrote to memory of 1428 2776 cmd.exe 76 PID 2776 wrote to memory of 1428 2776 cmd.exe 76 PID 2776 wrote to memory of 1428 2776 cmd.exe 76 PID 1428 wrote to memory of 1820 1428 cmd.exe 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2280
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d5cQTyHbvx.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1820
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"14⤵PID:548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1364
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat"16⤵PID:2732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"18⤵PID:884
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1376
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"20⤵PID:1616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1812
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"22⤵PID:2720
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"24⤵PID:2420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2500
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"26⤵PID:2660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat"28⤵PID:3032
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:1932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a1407063ec0de021e6a9455b404f9ff
SHA18db0b1301f4b1f671845068b49bf1a2d9be49298
SHA256a18a1435df6a61380701097b32d84adb7fef74e63cabb5c4e42d059ca704a73e
SHA512399c1c5e2c7f3917ccd7fc521c079c44e1ce8256494e5a064ebcb2f4f866b4a5b2f586925f030bbb5877cce203a8b0ef8008e79c7177d830c595bff1160c514b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57b599626f82ca9546b022cbcf73191c9
SHA1d2f85cce36b8ec32bdcda46a1a8775735172c0bd
SHA2562e5ca2761447a7b001dc8d6d61d0bb09754d4fdd58c57b12eec92ce6b7f26f82
SHA512eb99ee93e0aa3d54917b16696c8cacbb84afef3c7b0191b9eb925107aa6090f6bc4d288dae9d2a6d43bc5aa7cb5def57f1b997cb448e42988eb13eabaa2d87fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD537f594162a112ea6485f710d8274bc29
SHA1151c2c966e8e2e926b384a414b7f7e5910085f18
SHA256c7eeecc1efa3804dff1ec2fad9824ba5732926a7fdc36574ea4a31bc7b845570
SHA51241f6ec88398c340119a11937792de62839da3f1f32dbc631f963d998126c606504336d6c06e3fed40900b310715572371c6ddfe0df5861a928289c3d9a92dcdc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d6e656ef3607def7ddf43dbec07c858
SHA1216c72e8cfb1ec4ce4c2fcf632e9d84ad3ce14c1
SHA256a48bb8ad6823eee86143443cadeb9bf8cb940378b4d3e49fd0e8a13c52970a35
SHA5121c10779a976c060d37984290e713f88f925bd698c604095b63240ad4f40242e14225a499504f56c9fb2fb526ad968a766bc3348e916d4c3ae86c1f76c3c7669a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52b41523d23d56844a50b308120ebe144
SHA188faa072397ca3bd4c32b26ce17ed4ed5adbdf72
SHA25671fca53d32fc3ce660d73e97ff202a3564be99f275b0ec407050cc0bae4f00de
SHA51276cbcfb4c219a772a30f4dc4a25268089f8927efb366dda7584104c53ff676e9682337cb12815fb798a55f6bb491db0a9fa960bb2ff3516ae71dd34d55f8d646
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53642486b1ac5bceb45a36ff105b4d515
SHA159d2296b61472f4e1f78a9e07015267caf1e4fc3
SHA256b7278e28075c13a0a3729983d15a2560a4af00869499a9ed8d50c71efb00d55d
SHA5126ca297b7297f51f5fe64de1cebaeec13f79a0a0b2ad42643db2ea03b153c1621ca10bb543026aa9c3a2102c7587b35e33988f3605c31a73a43cbf9e041eee538
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d92bff48237708a2f8c044b21fb8f00c
SHA19009a0f34f4e676f947253826d39e5733bb82e26
SHA2565b3d347b94cdf52b119ec5da1b2d91fef2c98e6b213ff843d9f3e73cf1a84d93
SHA51273a33284111f4312ad9c21f537f2996400278825dac0e3fcb1898110b8a591f935f47e2e726a779a490dd61aefc156378342017c174c96909453d69b511d660d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5755d93ce0c124222ec4cc7c74c2083f4
SHA1454fba3d5f09d7b390a246a53e8befc43a9a9930
SHA2568ed95a67ca1893415c780b36a8c874cfb21002342ef34a0a554333307ea4841c
SHA51230bc45b7e6b1c38a63e24202e81fa2f08861885773fa423e2e6d99a0fcf5ee5a56e1760475191f784cd06ba8606e0bfcea7a4657e370e0f5cec9cad9190d1c6f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed30325591fae2b3b33980cdcb1290db
SHA15da12e4a8f59da2efdc3dc3de9bfd21cc0b2fb4d
SHA2564fe6e6239f2864b413cee9a3593592db39dff7be6fb2c30111c96425ce495cab
SHA512064bdbfb260bf5cf211c9078f66433f392612853a3b17b7f51ff47cc58d410549642bf7809d5c33b8ebaeddb650db9b6c3b1423f7270967754eaad3b4374d89b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD597a6d513b83fc4eb554a21c0fecaddbd
SHA19832d307399a1e7a386b1123e28fe94b47822088
SHA256c35de92a59e5b7e42a42de7b5c23b6b6aa810c9b7353b8e49adfac4c57d5e790
SHA512f08284f89be3b99ca20800bc999d5afc12cb306a47365a12f603d1d57c614869fd6c7947bc6e59ca9dc0c484743cee93bd634931887a588197a36836736f4e0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a47b11a1969b8e0af4e5162a03237fe
SHA10196368cbe608b72395bdf563d6d32c1eb3c1e7e
SHA256ba1981b82f964ea8fbf53ce72b9fd332484397dfe77bdcf9ec9a0ccf09cb73e8
SHA51262c916a29ba85a1fa6f591e53be1f5936a89cf8ab2ab58f1970051be3311dc5dc709e498810964cc8a460984d88ac3a0e93d2f65f52f09f00ae92b5f64b1433e
-
Filesize
230B
MD5a0214f29ef3616157d3e25eda943c819
SHA14ddb9b1722f95bfd66893a32f0cea6b5fdfff6fc
SHA2562964571069d63e9765423a08ffba0a69de000d704b79e66da018cf7dad03b375
SHA512c65ba97dabfb552f6ac321f527e251715a7ff942733ee4eb8dbc828206eb7850d2fbac422432c31163e29b12d3f58487a27abbbbe0ebb0f160c684b1497edc89
-
Filesize
230B
MD5b40e2e46c790af66c9072ac21eb4a82f
SHA1ed565e532ab2839003f364fec629249066f8c46f
SHA25664fc0b7217294cdc2a90642b709ee69fdca8b4cf2f8f87647d797b3d7dd53911
SHA512e2118dd920376f4f570eb7f9e4857b400fd95e7f7cd031d72590030fa2d31d2bc7c3492b23e83f815437f515672b707aea48bc50c6b050b75c15ac69c750bf94
-
Filesize
230B
MD5327754998a8827a357c71e9a118880c9
SHA1a8b97f62d04f3dba324653fdc30930bbf901d068
SHA2561b16b5c9f85984553735dac8f65eb6549ceab04ca21f6836355dde30e04b0f52
SHA5127ae9f795fa95e6f22577ae62bee47b2b00835569340a1fff5707efd6e73adce89753031a8c64526cdb5b8f841857f50a8117b9fa345f9207d690187eedea661c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
230B
MD5f98cc77d43e944298905671842cd3aae
SHA17ed0e8a3ea013fe259a1b19485971b1032efe3b9
SHA256aed1a1d53d7b084342deec1374078383351b19aee1a01a423c8da718a8ea7f86
SHA5120b7a395914c4e658dfa7755d93da6b4ab8a6c3bb243548c15c18f0436a5be0c3e340f3e1f34889e657c448a5ca64a7f52e683d41feb6927719fbd637bf120c3f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
230B
MD537287b541cd39b73b2e0d065971ec117
SHA1c37f49020cb71c51339f0832e1a7a18d813d7fb4
SHA25624cd5ce1207d0c39fa3ba9d405b1fd64ce708c3c7899955e81ff721916cb233c
SHA5123a323bd810eb06495971140a398210453a4906a90c00bba2ee98b63b3e0d59313ab3492ba8c833790c6971c13667f2d57c582f7b37b95ea23fa68892c019b351
-
Filesize
230B
MD5734bcf136c8c3da9d92044e75014b193
SHA1aa35459215c19171349a473bf1c27011160d8a08
SHA2564318d76adb747a98517a86e4eec3ab090a1a3708a597dd3a58d5edc1b59506f7
SHA512870b6890f6ad1fe9b21c38c29aa5201a8ed2d0b1a1977e4c8d81ba2535b17234b5769c91cbd2694b3db00a128cbed9b0fb09355bcf3779850d9d19d007ad52a3
-
Filesize
230B
MD5e7702b15729dbff83341adfe61e47806
SHA108895ccce096dcd9258cc6b9659d7df2160eff8a
SHA256865f8c34edb59ec1625cef1ae791141879674a68b24b9245443e53a3b8e98f12
SHA51294d70dfab8c1703d2f360d61436e2a4be6bd3d111422984d9d0332d06a0773548075ce84c1b6baa344195354e39404e4b814eadcb44e646bd24230010e39bd15
-
Filesize
230B
MD5128b776372294b7a596dd99ac90a2ce7
SHA11df422041906d0f4cf8d25b7257b46142a651971
SHA2561f367ebe8d5a5dff3d98f37d869982c7a975e46b78800ce3a6f5af849a744546
SHA5120368cd2c4980234cac36b0ea67930e7c7498302bdf77418b8d7ad566c20baab2c2f2e9de31b24e579836af208233820d7fa9263488052086f25709f72d747d03
-
Filesize
230B
MD50593da88a9183e103afbb6b9c99ef819
SHA10eeebe08ede5c09fb17686599871499f85946e2a
SHA25660b16dfd2f0c7dab7fa40ee58b3c4bf9747e099224aef4e0a30360c617141921
SHA5128d23a26e0c7cc6a0fb94518d324a3e0c6a70cdbf7bc0892f78aa5e247dfc28c0c178da92b9618a0557ff5e8b7de0560d9f4c9b16de5bae80649cbe5db2ab40f9
-
Filesize
230B
MD586a5a014fad43883a202787d08297e81
SHA13293915eac6a576b90b912fd16167e8b846eed49
SHA2569cd5c2bae0efd4109a5839921913fb6fe55de4718b205840aed870b881de1157
SHA512a55e52003ef651a4de777ca777ab586f3eb737e3592d3c3ca4c765a88755be17c0ae5bb654c80a93a71cbc4d1ab9f1d80e78f7ea16f0f18909daf6e921057efd
-
Filesize
230B
MD54bb63c3dc01fa472a179bd80df51d655
SHA1272e3bc836ee2f9395155074924877f065029e38
SHA256c7dd7e679c9f6daada9bcec2caaa487e334423c3e537d0f0c556cbc7885c21db
SHA51249198b21dfc6cc1d0a22003a70c28fbec9a3beb8719fab934128249868d16a1dbddbf69c4ee13d8ed1af265054b862147e379c542afc9d4b7e42a808ca020f03
-
Filesize
230B
MD5fb9a31c36587be633c38aba900c0ffac
SHA1eaf52598288e707c96f532888c46e142203d87c5
SHA25692668e07db0e86beafbd6e98d565aad133bbc7cff2e5381a18c683f2e4fc49b6
SHA512bf108b451ef453c8340390a9d38217850ee899c5707c9dd35c922625038296d95e4c51e85268405262271f55fa6c19972fa4d9a1e1c84a60847674ca766ea3a1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57f2005e51c1f1ed368db3fb572a6f4c1
SHA1e7f98ac887403e15a22933c87a9002862c12a766
SHA256c7055ebb087a1fe67b00cd29e5713b7e57c41f4bc604385a5ec9a19afa7f6b96
SHA51218de098852eb40e0540a144ac7c24f6538a92489bffea47a3561affc8aa8df0e90b1672911e41b950097d97f50b6693b1ab8f9fd08a4c66555f6d6f815931676
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478