Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:17
Behavioral task
behavioral1
Sample
JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe
-
Size
1.3MB
-
MD5
aa32aecefe43d28a45894c3ef3c49b8a
-
SHA1
7dfdff161eb2bd11a1445091caa7c32752d3320e
-
SHA256
5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6
-
SHA512
4ad6a52db6664aaad9a59640d4bd48d331fecb7cecee5b0aa65afbcfcc9809ac1c3a66ccf66ecd68e108b7d8e07b39e90304e7ffa3f01445f8a06429bfe31b61
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2976 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016d0c-9.dat dcrat behavioral1/memory/2168-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp dcrat behavioral1/memory/1760-41-0x0000000000100000-0x0000000000210000-memory.dmp dcrat behavioral1/memory/2964-119-0x00000000011E0000-0x00000000012F0000-memory.dmp dcrat behavioral1/memory/580-179-0x0000000000110000-0x0000000000220000-memory.dmp dcrat behavioral1/memory/1064-239-0x0000000000F90000-0x00000000010A0000-memory.dmp dcrat behavioral1/memory/2384-299-0x00000000012E0000-0x00000000013F0000-memory.dmp dcrat behavioral1/memory/1872-537-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/1164-597-0x0000000000950000-0x0000000000A60000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2028 powershell.exe 3036 powershell.exe 980 powershell.exe 1408 powershell.exe 1324 powershell.exe 840 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2168 DllCommonsvc.exe 1760 DllCommonsvc.exe 2964 DllCommonsvc.exe 580 DllCommonsvc.exe 1064 DllCommonsvc.exe 2384 DllCommonsvc.exe 2152 DllCommonsvc.exe 840 DllCommonsvc.exe 2092 DllCommonsvc.exe 1872 DllCommonsvc.exe 1164 DllCommonsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2024 cmd.exe 2024 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 5 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 27 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\cc11b995f2a76d DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\de-DE\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\de-DE\a76d7bf15d8370 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1652 schtasks.exe 2800 schtasks.exe 940 schtasks.exe 1248 schtasks.exe 3020 schtasks.exe 2316 schtasks.exe 2880 schtasks.exe 1040 schtasks.exe 2536 schtasks.exe 2792 schtasks.exe 1944 schtasks.exe 1832 schtasks.exe 1660 schtasks.exe 2876 schtasks.exe 2380 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2168 DllCommonsvc.exe 3036 powershell.exe 1324 powershell.exe 1408 powershell.exe 980 powershell.exe 840 powershell.exe 2028 powershell.exe 1760 DllCommonsvc.exe 2964 DllCommonsvc.exe 580 DllCommonsvc.exe 1064 DllCommonsvc.exe 2384 DllCommonsvc.exe 2152 DllCommonsvc.exe 840 DllCommonsvc.exe 2092 DllCommonsvc.exe 1872 DllCommonsvc.exe 1164 DllCommonsvc.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2168 DllCommonsvc.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 1324 powershell.exe Token: SeDebugPrivilege 1760 DllCommonsvc.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 980 powershell.exe Token: SeDebugPrivilege 840 powershell.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 2964 DllCommonsvc.exe Token: SeDebugPrivilege 580 DllCommonsvc.exe Token: SeDebugPrivilege 1064 DllCommonsvc.exe Token: SeDebugPrivilege 2384 DllCommonsvc.exe Token: SeDebugPrivilege 2152 DllCommonsvc.exe Token: SeDebugPrivilege 840 DllCommonsvc.exe Token: SeDebugPrivilege 2092 DllCommonsvc.exe Token: SeDebugPrivilege 1872 DllCommonsvc.exe Token: SeDebugPrivilege 1164 DllCommonsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 3000 1736 JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe 30 PID 1736 wrote to memory of 3000 1736 JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe 30 PID 1736 wrote to memory of 3000 1736 JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe 30 PID 1736 wrote to memory of 3000 1736 JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe 30 PID 3000 wrote to memory of 2024 3000 WScript.exe 31 PID 3000 wrote to memory of 2024 3000 WScript.exe 31 PID 3000 wrote to memory of 2024 3000 WScript.exe 31 PID 3000 wrote to memory of 2024 3000 WScript.exe 31 PID 2024 wrote to memory of 2168 2024 cmd.exe 33 PID 2024 wrote to memory of 2168 2024 cmd.exe 33 PID 2024 wrote to memory of 2168 2024 cmd.exe 33 PID 2024 wrote to memory of 2168 2024 cmd.exe 33 PID 2168 wrote to memory of 3036 2168 DllCommonsvc.exe 50 PID 2168 wrote to memory of 3036 2168 DllCommonsvc.exe 50 PID 2168 wrote to memory of 3036 2168 DllCommonsvc.exe 50 PID 2168 wrote to memory of 980 2168 DllCommonsvc.exe 51 PID 2168 wrote to memory of 980 2168 DllCommonsvc.exe 51 PID 2168 wrote to memory of 980 2168 DllCommonsvc.exe 51 PID 2168 wrote to memory of 1324 2168 DllCommonsvc.exe 52 PID 2168 wrote to memory of 1324 2168 DllCommonsvc.exe 52 PID 2168 wrote to memory of 1324 2168 DllCommonsvc.exe 52 PID 2168 wrote to memory of 1408 2168 DllCommonsvc.exe 54 PID 2168 wrote to memory of 1408 2168 DllCommonsvc.exe 54 PID 2168 wrote to memory of 1408 2168 DllCommonsvc.exe 54 PID 2168 wrote to memory of 840 2168 DllCommonsvc.exe 55 PID 2168 wrote to memory of 840 2168 DllCommonsvc.exe 55 PID 2168 wrote to memory of 840 2168 DllCommonsvc.exe 55 PID 2168 wrote to memory of 2028 2168 DllCommonsvc.exe 57 PID 2168 wrote to memory of 2028 2168 DllCommonsvc.exe 57 PID 2168 wrote to memory of 2028 2168 DllCommonsvc.exe 57 PID 2168 wrote to memory of 1760 2168 DllCommonsvc.exe 62 PID 2168 wrote to memory of 1760 2168 DllCommonsvc.exe 62 PID 2168 wrote to memory of 1760 2168 DllCommonsvc.exe 62 PID 1760 wrote to memory of 1736 1760 DllCommonsvc.exe 63 PID 1760 wrote to memory of 1736 1760 DllCommonsvc.exe 63 PID 1760 wrote to memory of 1736 1760 DllCommonsvc.exe 63 PID 1736 wrote to memory of 2956 1736 cmd.exe 65 PID 1736 wrote to memory of 2956 1736 cmd.exe 65 PID 1736 wrote to memory of 2956 1736 cmd.exe 65 PID 1736 wrote to memory of 2964 1736 cmd.exe 66 PID 1736 wrote to memory of 2964 1736 cmd.exe 66 PID 1736 wrote to memory of 2964 1736 cmd.exe 66 PID 2964 wrote to memory of 1424 2964 DllCommonsvc.exe 67 PID 2964 wrote to memory of 1424 2964 DllCommonsvc.exe 67 PID 2964 wrote to memory of 1424 2964 DllCommonsvc.exe 67 PID 1424 wrote to memory of 2328 1424 cmd.exe 69 PID 1424 wrote to memory of 2328 1424 cmd.exe 69 PID 1424 wrote to memory of 2328 1424 cmd.exe 69 PID 1424 wrote to memory of 580 1424 cmd.exe 70 PID 1424 wrote to memory of 580 1424 cmd.exe 70 PID 1424 wrote to memory of 580 1424 cmd.exe 70 PID 580 wrote to memory of 840 580 DllCommonsvc.exe 71 PID 580 wrote to memory of 840 580 DllCommonsvc.exe 71 PID 580 wrote to memory of 840 580 DllCommonsvc.exe 71 PID 840 wrote to memory of 1320 840 cmd.exe 73 PID 840 wrote to memory of 1320 840 cmd.exe 73 PID 840 wrote to memory of 1320 840 cmd.exe 73 PID 840 wrote to memory of 1064 840 cmd.exe 74 PID 840 wrote to memory of 1064 840 cmd.exe 74 PID 840 wrote to memory of 1064 840 cmd.exe 74 PID 1064 wrote to memory of 2596 1064 DllCommonsvc.exe 75 PID 1064 wrote to memory of 2596 1064 DllCommonsvc.exe 75 PID 1064 wrote to memory of 2596 1064 DllCommonsvc.exe 75 PID 2596 wrote to memory of 2184 2596 cmd.exe 77 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\de-DE\DllCommonsvc.exe"C:\Windows\de-DE\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2956
-
-
C:\Windows\de-DE\DllCommonsvc.exe"C:\Windows\de-DE\DllCommonsvc.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2328
-
-
C:\Windows\de-DE\DllCommonsvc.exe"C:\Windows\de-DE\DllCommonsvc.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1320
-
-
C:\Windows\de-DE\DllCommonsvc.exe"C:\Windows\de-DE\DllCommonsvc.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2184
-
-
C:\Windows\de-DE\DllCommonsvc.exe"C:\Windows\de-DE\DllCommonsvc.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"14⤵PID:2824
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2812
-
-
C:\Windows\de-DE\DllCommonsvc.exe"C:\Windows\de-DE\DllCommonsvc.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"16⤵PID:2020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1152
-
-
C:\Windows\de-DE\DllCommonsvc.exe"C:\Windows\de-DE\DllCommonsvc.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"18⤵PID:2072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1064
-
-
C:\Windows\de-DE\DllCommonsvc.exe"C:\Windows\de-DE\DllCommonsvc.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"20⤵PID:588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:520
-
-
C:\Windows\de-DE\DllCommonsvc.exe"C:\Windows\de-DE\DllCommonsvc.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"22⤵PID:2208
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1992
-
-
C:\Windows\de-DE\DllCommonsvc.exe"C:\Windows\de-DE\DllCommonsvc.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ef4b77d7b4a0fbb3557177fad5a46e0b
SHA1ec72f7a2c6fb4db3d4b7866a8def207747aae1c6
SHA25691987b2df564265899e5cc435fbfbe64fd9d1a192cc1ef4255bcab6429ad123f
SHA5125e535ee6206936b0d6ebf7f23456c830780451a99fa7cccac6e3c207b961e114ce323a650cc3f90afc16140cfdda8ffeb13a4a332399d8a0b73fefc11a356bc6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b4f6e9eef4e00f77934fe5a737b33b9e
SHA1a721cf18ce926c06c743eaeee74246a8a126a20d
SHA256a0c871d646eea78491ddd7b842491f393fda34a73458b22680dcf3a92672626b
SHA512f03c4df280ecf134f6cf1209e9a0b7a4839aaa331fe2748f4bde7d7034567d74622d2e67fa14c39e24b96eb096ae1391db1528979bf2fbc31d8f23cd24cc367b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5281656d1e7c83d3a0751f238172bf81b
SHA16c7e3b814dbc14946475b1d9a3a8d4c84220799f
SHA25681e955fd1041ad5c0651623f20d0abd6e7ee14d514adeb4ec288bb2b4cb8affc
SHA5127d6f80fb895ae85bfde4f7b3b2cea552870d81f9014e9c0ae7fd9eac10bd03a39a6e11ecee83dcda2cebf4f75febb4f0d381e1716766288316a8c9cc2c4d9aef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50fe65b79274db38d39948b4a0e37db3d
SHA151ae2a9827a8e1586aaeefa8e890eb246a2e3cc0
SHA256c8563501830d1888822a85dcb619f53ea40cf63b72afef19c8d88a3efb7b62e4
SHA51283744e1476aa557a42c76120c76a303d6f0ec05decca60666fb020b5fa788fe657a6d616d9847f5c498b31ec3de0eed187fc3e42b1d8eddd1e91a1c10273055f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54c83be95a7a212f9fe2902b8d4b2761a
SHA155b1e2248f87201aff3c30fb9891de984842bb3d
SHA256a4c14e32ba260133dc1e95b17e859bfcc2e18c2b13f4078ef8d3c69adfc0d279
SHA512379b041c71f020ffc56d2c9f64a0a5ca31c51167e03a4a8cb6fff13dc1c8f5295242fd922f3426ee5c6a5adfc2ff2609d13bc29ebc80456cb48c7b557050959c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5404b51c3b37c8cbc9e9c1b3c1bae297e
SHA15b9f7be79ef436065c8e0580da2230229db9a2cb
SHA2562a7793c0cad5957af7d0ee361f1067acff94ade1023f84f27119b4273d405636
SHA512e40f212b3d7bc65e87e8a17e404d89f5722227ae3a7d4820cbdac36c5896e7b1126c856f5e6650568ddbdc6c9a1a5dee92807b62c7ba8631bea55a9ca4cffa9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ec0739f690dd376de94f2215e03c2b2
SHA16d4b585ad78346b3e8baa38382052e1eb8c158a1
SHA2566d9bc4d441e84a246e0175ac969efa1a9e0914046d8c7b93dec81a7d348d0d93
SHA5124802ff72e15aacc1a3b27c8f70b7ed69726efb2756fda363c1f94afa7738b8e3d08d512114df815b4fef81cf37b6a405dbc61adc07b5923cbcba1298994a0095
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c3eccd6f76797b965de6e166d4173c4f
SHA17aa30efead8b3947e8b114cd3f9286be25af3fda
SHA2568b82510983a714877304228edf1243dfd8358cd5dbec124bf2e6a288a937c3ed
SHA512edc1f7f4a3c4fab6d70847961d78a968b655bb4e2cfdbed6629269dd7f45b86ec90f1e7cc82480f389b4d24094701365b7e91851f5dab6a540b555222fbd6fad
-
Filesize
198B
MD5d6a80d87c156fbf531259ebb3accdcf5
SHA151394a17d340ab6e9d038efba548ce29c156d462
SHA2562d093323e74bf9d9ad12896386f9a64a3fb0fe3c2ade73777d0808651648c7ad
SHA512c00c4eb57c8a55f7ed629136eccbdba73bf7f5930867fc23dfaa6cea2934bfa83761e87902139b61a92d53c6e46e32140f69f087c9b1f506d405d1c4957f338b
-
Filesize
198B
MD5f12ee1d219505a92c86ea24c5ef25aec
SHA16c73f511cb3322f32303aa4b4e83dd15a72354e7
SHA2566da6588635b5ad205c51aebc5c3fae2136e45b421c9263b62c088cba87da74ba
SHA512b6a2904e5be7394952516a0f46dd9197646db9c92677cea4850c47e286af61ad56885d7764b98dc414422e45479347adf77cac449dfebe1657f8512ed1759b85
-
Filesize
198B
MD5b2f27bb4233cb34b23bde06e4b70ca56
SHA1764913fbc6142ddcf9c47c7e79ba5595732a3cdf
SHA256b3051efa26e6bd1cc8af49eeaa47065bf270bbfdc51e64fa9dc5fca26d4a0e5b
SHA51228f1bb468c3091a3f26676643f8968beb829d194740b954a9dfa7dea32fe6a043f30d444d352dcc159f68a988148b467c7b8ce6fe57da273f391fd8f5398a8a6
-
Filesize
198B
MD571250a414375d8aad5ce02eef12f1a6b
SHA16f62255ec3c63aeb58bb3872cdac81404045973c
SHA2567071c8e244db79d6db522f779bc95ec4770401d85b0c4a169601b876546d752f
SHA512f2d00a3d1b9326ad9aee893e284308b5c18c07cfbe918c4a78d64afc6ac9561dfafa6536ab84416ca9d8443c14eb1cb74b1a0268909c652b17ba51f608b93126
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
198B
MD5e6b7a167dc5cab53bc478dffbee6f4b8
SHA17f138d4ebbee1ac02d0c53011006a43818ab5982
SHA256c0f776664d682ed67c39c716485f0c9c2a76f984db908a3d7e9173703cdb7c5c
SHA512d3863691ccfa8e602a2274e37916b481e6dcb77269a7968206269942669cfe836ac901fd89e0ba7caead194f2a482dfb81b43d03f5a2565251780db0995bec9c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
198B
MD5b47c8916224dd9f638d475c0eae98579
SHA1a96e6c42c037dc924c3546b2646ec96d6cc86310
SHA2566bca8ae14ac187d78d42b8850c75883dbd0d87d6debe2a7beb4ffd5c4ccb07d6
SHA51201633d57604b02b2001bb711b002914234bf259ca3a8784140436756626f9b3d31892555066e183abaa35a45eb0a35ad036bf4fbda08a1f5f552b197054dd3ce
-
Filesize
198B
MD56219e76f82f698f2b3233b63b3f9b432
SHA17cc7abf33559d5b229f23866714c3fcda82ca2c7
SHA256009918ca092b609b1f1fa8e1043d389e2f552375273966f6b8474dbed0942c35
SHA512fe4c894e6b2d5af5f85e1fa2d34a0b634d650d133a783567528a5e9c25bb65e578c5b7084860960d6765e62ec565ec2772ba811aca12b083cdbf896afe8a2903
-
Filesize
198B
MD5acf3d8e9adcf7190cad74a83bbfb3fed
SHA1d679a73e302d651aef68b5ce6065183823256d65
SHA2566b5be23b828cf86a6f855514e059e324c8dfa967590eb2b44e1d6d447e382e0a
SHA512112099007fdbf950c802f7b4e6c5dae52417ad3f540a5aa2fb5f906fadd277011a0e906927bc99784016330bb2fa5f86fa370859422555c139b12500593f410c
-
Filesize
198B
MD5e151e7b627b4a4590396442e06961da8
SHA1ab5276336101f7f064eae9acfae1267063995d91
SHA256f47455258422728dd131b5eafb6da2023de12174fba02d891ead21492db733f0
SHA51211969a9e77ad135d70293197005ab28e3b98bbfbd8aa86c7afcc2e28781f9f38565c6de6599892badc947e94d63efc56e25efa3562b903a6c547fb3122f59ffc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MPW6NPJZZ5M88GLQMFBG.temp
Filesize7KB
MD5bce1fe5eb7840c591f8d14d6bec32751
SHA1082085f75e7eaa5c9b556d433faa1f5de47394ef
SHA256cf64a9d961c47efb2154817ff557ad965bd17f80d57ab645fe7d1f11995a3624
SHA512f3e9d89641a7863c7e8ba91cfd570457f87516090ec835fc94ee205a6e7aa4e8a84b66570fd22e8bae6a2d2d38a3e01238dcac6ea1674fd9a1f107c5998e242a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394