Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:43
Behavioral task
behavioral1
Sample
JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe
-
Size
1.3MB
-
MD5
42d93f60c0d6355dba66fa60fb0d74a3
-
SHA1
e9a8f4b9f39efdcbe1d64966e43da1ee69ad5b12
-
SHA256
6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927
-
SHA512
986548e4094b86f2bc9536c8bed300039672c812cef97cd33ff7522cc108cabf3fbdc6780dfc0c6b4db5c9cd1478296b5c373afe4b2682d9b7b604410e08c002
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2576 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2576 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2576 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2576 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2576 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2576 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2576 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2576 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2576 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016c7c-12.dat dcrat behavioral1/memory/2884-13-0x00000000013B0000-0x00000000014C0000-memory.dmp dcrat behavioral1/memory/580-46-0x0000000000170000-0x0000000000280000-memory.dmp dcrat behavioral1/memory/3012-108-0x0000000000A50000-0x0000000000B60000-memory.dmp dcrat behavioral1/memory/1460-168-0x0000000001390000-0x00000000014A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2764 powershell.exe 2768 powershell.exe 2784 powershell.exe 2756 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2884 DllCommonsvc.exe 580 lsm.exe 3012 lsm.exe 1460 lsm.exe 2116 lsm.exe 2904 lsm.exe 2552 lsm.exe 1700 lsm.exe 1140 lsm.exe 2404 lsm.exe 2340 lsm.exe 944 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2708 cmd.exe 2708 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 37 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 23 raw.githubusercontent.com 33 raw.githubusercontent.com 40 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\7a0fd90576e088 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3048 schtasks.exe 3064 schtasks.exe 2312 schtasks.exe 2800 schtasks.exe 2040 schtasks.exe 3060 schtasks.exe 2984 schtasks.exe 2196 schtasks.exe 2792 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2884 DllCommonsvc.exe 2884 DllCommonsvc.exe 2884 DllCommonsvc.exe 2884 DllCommonsvc.exe 2884 DllCommonsvc.exe 2884 DllCommonsvc.exe 2884 DllCommonsvc.exe 2764 powershell.exe 2768 powershell.exe 2784 powershell.exe 2756 powershell.exe 580 lsm.exe 3012 lsm.exe 1460 lsm.exe 2116 lsm.exe 2904 lsm.exe 2552 lsm.exe 1700 lsm.exe 1140 lsm.exe 2404 lsm.exe 2340 lsm.exe 944 lsm.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2884 DllCommonsvc.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 580 lsm.exe Token: SeDebugPrivilege 3012 lsm.exe Token: SeDebugPrivilege 1460 lsm.exe Token: SeDebugPrivilege 2116 lsm.exe Token: SeDebugPrivilege 2904 lsm.exe Token: SeDebugPrivilege 2552 lsm.exe Token: SeDebugPrivilege 1700 lsm.exe Token: SeDebugPrivilege 1140 lsm.exe Token: SeDebugPrivilege 2404 lsm.exe Token: SeDebugPrivilege 2340 lsm.exe Token: SeDebugPrivilege 944 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2836 2640 JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe 30 PID 2640 wrote to memory of 2836 2640 JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe 30 PID 2640 wrote to memory of 2836 2640 JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe 30 PID 2640 wrote to memory of 2836 2640 JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe 30 PID 2836 wrote to memory of 2708 2836 WScript.exe 31 PID 2836 wrote to memory of 2708 2836 WScript.exe 31 PID 2836 wrote to memory of 2708 2836 WScript.exe 31 PID 2836 wrote to memory of 2708 2836 WScript.exe 31 PID 2708 wrote to memory of 2884 2708 cmd.exe 33 PID 2708 wrote to memory of 2884 2708 cmd.exe 33 PID 2708 wrote to memory of 2884 2708 cmd.exe 33 PID 2708 wrote to memory of 2884 2708 cmd.exe 33 PID 2884 wrote to memory of 2768 2884 DllCommonsvc.exe 44 PID 2884 wrote to memory of 2768 2884 DllCommonsvc.exe 44 PID 2884 wrote to memory of 2768 2884 DllCommonsvc.exe 44 PID 2884 wrote to memory of 2784 2884 DllCommonsvc.exe 45 PID 2884 wrote to memory of 2784 2884 DllCommonsvc.exe 45 PID 2884 wrote to memory of 2784 2884 DllCommonsvc.exe 45 PID 2884 wrote to memory of 2756 2884 DllCommonsvc.exe 46 PID 2884 wrote to memory of 2756 2884 DllCommonsvc.exe 46 PID 2884 wrote to memory of 2756 2884 DllCommonsvc.exe 46 PID 2884 wrote to memory of 2764 2884 DllCommonsvc.exe 47 PID 2884 wrote to memory of 2764 2884 DllCommonsvc.exe 47 PID 2884 wrote to memory of 2764 2884 DllCommonsvc.exe 47 PID 2884 wrote to memory of 580 2884 DllCommonsvc.exe 52 PID 2884 wrote to memory of 580 2884 DllCommonsvc.exe 52 PID 2884 wrote to memory of 580 2884 DllCommonsvc.exe 52 PID 580 wrote to memory of 652 580 lsm.exe 53 PID 580 wrote to memory of 652 580 lsm.exe 53 PID 580 wrote to memory of 652 580 lsm.exe 53 PID 652 wrote to memory of 1948 652 cmd.exe 55 PID 652 wrote to memory of 1948 652 cmd.exe 55 PID 652 wrote to memory of 1948 652 cmd.exe 55 PID 652 wrote to memory of 3012 652 cmd.exe 56 PID 652 wrote to memory of 3012 652 cmd.exe 56 PID 652 wrote to memory of 3012 652 cmd.exe 56 PID 3012 wrote to memory of 2060 3012 lsm.exe 57 PID 3012 wrote to memory of 2060 3012 lsm.exe 57 PID 3012 wrote to memory of 2060 3012 lsm.exe 57 PID 2060 wrote to memory of 2556 2060 cmd.exe 59 PID 2060 wrote to memory of 2556 2060 cmd.exe 59 PID 2060 wrote to memory of 2556 2060 cmd.exe 59 PID 2060 wrote to memory of 1460 2060 cmd.exe 60 PID 2060 wrote to memory of 1460 2060 cmd.exe 60 PID 2060 wrote to memory of 1460 2060 cmd.exe 60 PID 1460 wrote to memory of 2944 1460 lsm.exe 61 PID 1460 wrote to memory of 2944 1460 lsm.exe 61 PID 1460 wrote to memory of 2944 1460 lsm.exe 61 PID 2944 wrote to memory of 1660 2944 cmd.exe 63 PID 2944 wrote to memory of 1660 2944 cmd.exe 63 PID 2944 wrote to memory of 1660 2944 cmd.exe 63 PID 2944 wrote to memory of 2116 2944 cmd.exe 64 PID 2944 wrote to memory of 2116 2944 cmd.exe 64 PID 2944 wrote to memory of 2116 2944 cmd.exe 64 PID 2116 wrote to memory of 2504 2116 lsm.exe 65 PID 2116 wrote to memory of 2504 2116 lsm.exe 65 PID 2116 wrote to memory of 2504 2116 lsm.exe 65 PID 2504 wrote to memory of 768 2504 cmd.exe 67 PID 2504 wrote to memory of 768 2504 cmd.exe 67 PID 2504 wrote to memory of 768 2504 cmd.exe 67 PID 2504 wrote to memory of 2904 2504 cmd.exe 68 PID 2504 wrote to memory of 2904 2504 cmd.exe 68 PID 2504 wrote to memory of 2904 2504 cmd.exe 68 PID 2904 wrote to memory of 2832 2904 lsm.exe 69 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a90a987391de5bc3ef06e657aa9f333537bac6207eea70515fa5409077aa927.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1948
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2556
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1660
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:768
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"14⤵PID:2832
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2184
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"16⤵PID:2500
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2800
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"18⤵PID:796
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:328
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat"20⤵PID:908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1348
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"22⤵PID:2556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2988
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat"24⤵PID:1660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2304
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"26⤵PID:1956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e2f189c732ac0682c69b0cd7e9a5b455
SHA15f3adc077894ce2e3c9b41a1f0ca809c39446946
SHA2569f22386eb114164d3f3c98f889fab0bddf4291eee2944119d1e49d182dbedb3b
SHA512549a34555652f00ea7afdbe6f6ae8a79edf6d8db27fdecdaa1cf8906d33e3a37cac783f9fa2c931a8a26cab5e932a9fea732cbf6f4fd59a75c6dd9054542e667
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed94b66786681b98a176f64fc7dab5d6
SHA1dcaf542faafae5e670b8a7ba0707779a22313fe9
SHA2563df51bb92719fd56566e88ab1e662b7b280f30808c43db33be6367ae07f46807
SHA5127fd68d6ace1d5558a091c07ab627ef1e48850f0f85922c5c76c82621f061e82a5debc5a9638af490af6bd5c5f56b8be3f97c72418c9dc58acad585cad2c080f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55b20e11801dd495f609f7fc710b62475
SHA1a4642d8a156515243e6f4acc5ee7432d7ec5ef4a
SHA25629cfce89ef1afbce05461de38bd0f79ab17cd8594aaab7a996f09e8d8040a3ab
SHA5124da587634c809c0f599e81515c1476c8d4eafc0530ab76db0258fa385385458abb302525b91a079ee145ea9c73efca282d0f034e8d7647d9659b8f0a7716d66b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a6be137a65b010068f52256f8f16ad74
SHA14db14c871d89dce0e118147b7cd8f354e88fa1d2
SHA256da98e893ddc186923ac34d14f90f83e01db96dbefea30f09957c123f81642f17
SHA512376882a1171902f4a7618fc789795c0e98813747c40baaf1da7aa42eb50dc8cbd3d2f0ed7de0832324c0effd44e4027cc5bc74bf1060a7147c8d175f54bc9327
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae2e2533dfab3454b9301a92ca5152c3
SHA13c836acc7599962baa3e5195ad96e5b315cb5854
SHA256c467fee07e7c80705d3b5e3f6694bab1a714fca780eec0a81a05473224793be3
SHA5129f2bb8d7d565e468b22361d20da2b36d9c4889cfea2c8db5baa7e4aae1d3f6d5850a86383e3bd6d5aa3b0da8d53ecdee7e3276fc555fa5c27d987b26ca63c1bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b266f0f68c88c2d9742e35bb3f2cbb21
SHA18821f8cae20347ae5faa0ffb629d7b72d96af38e
SHA2563afee4336d65e879d667b3efaf6a95f68aa5eed08f4fbb28a8b79cd22873123f
SHA51239e308a186f19355059ea5848500aebceed4feea1036341af6081f4324931ba3f6c3bd9bd4f9d2c6637a5c76ff519ac0f0366e93708863aaaa93240dad0d8f0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD540d4686f259a25c96617fdc5643fdb33
SHA12e8963bac3542efba8f70645554191e8775b571e
SHA256ad7a0f2c849fbae6177d3e8cac7d7962c96034d4a91336accf914351787ed4d5
SHA5123c3af5b39a91eba0f82235197798c5be7e4a49bda18c230e8a4c88a104d3f070a8528fe733375e32a605f54e070eb43cee0a1e2b39f4aaae27e1782a5bf459f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD500a026c2a15461b14493a75cdb7a15d1
SHA1d0e626cae73e5ed36a575893abc77b99ddeaa333
SHA256fa6599e74475acddec1efe950144225b4eda6eaab2010bd34298f6730f608616
SHA512b36699d5d2462d8a010a9abdd7b04543920c5cf5f486d02eec911d3dcb7b2cf3cf4a2d5ad57c161a4e6558a0bb3c84cfeb4e771d229d9cf0a60ba1a748c9130f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD553ffc9b122e2c497044724bac49d2c66
SHA162cfec25da93d4389d211f6bef5e4427f8cb3b5a
SHA2569b51eb53b78875db69e0ac093c96dfb0c541730180b839c7c6f9deed6357b47b
SHA51258f05a64d89bd35f5dfac35b820c64ba1117a04eab5f142ca07b4985a30d16d6691eff0ddaf08eae16e0933f0ca964a48ec17efc728616a9809b0ff08b851b6f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5158adca8e3acd69fedf6373278149901
SHA176a2b93d7322a7e692c0e23a16c54fa588ca7802
SHA256cdc934a90d76d970091d9722013501f297393da4fb3f9c4c40b666f36b961e37
SHA51202998f5e7f010dd7fd0c8b4ac5fcf5a24d323d4b0d0f402e6dc3c7bc3c966f97e48efa2a6ef5080f7992618d62a5b8722e13d45cb2c7c52e78341c387d1fffc7
-
Filesize
235B
MD5d7ecc9046b91b275f241960568d6c663
SHA17f23aab0cf5bd947baa22828543be48ff9b46ffd
SHA25640756a651cd27aae6cbb92519290a2bf8674911007a79946d58226b988d48f0b
SHA51264e1b8803e46a4635bb1c70d83a39e27f30fa8dc10cd0e77eec7c362a4a983b27658b110addd08a6a837dcd94ae6e3dd3352d4ecc26f0548cf8f0096cd1e92c6
-
Filesize
235B
MD500abe6e7baa15763dc6076e76639ec00
SHA18444fe59ea02b10cd05cdadc3fcaa0d407bfe38a
SHA2565dd14e4c156382fa5a13d385dc274a208cbb840f0f524b42a4a36ab496261bcc
SHA5120a8d5afc7d5347cfa8256c035606b30f3c5f175f007576cf752f8e9262acfbfb9c4e515ddc1616805088debe73e27c441223e1032f3bd82ea2e85ddf8566649a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
235B
MD5729c512459b8c14a69f26882190e4885
SHA175c48c16188e4699df20ffb64aa8f457b2ca059f
SHA2569e690c459eee8bee55ddf50aebfde9ae8ba2b8a08935c3f7eb0eb372d1142d53
SHA5121a06c3b2145befeeb08b28a242e31f88d9071b6688ce827874adf8731bbb5139460082e6f82846105c673ceb0ef8e7ea88c240ece0daffa72f46e9fe4c6d2cf5
-
Filesize
235B
MD5d011c27d2a6579d155a752f4cb93d672
SHA1245afa4b825424f5fafa59f99b6855be7f978028
SHA256c62bfcc92f1af2415d092a898ce62b26a409d58740bdd8e04cfee6428c2f56c9
SHA512dc84268a650b076f2f764d92b0dce256234f5a83d90a8792de95527ba2878769fa37a5dc83ff19ab9ce37b8255530f2e69077a6eb1aee1561147f3e4bd8270e8
-
Filesize
235B
MD5d55768f67e105f4b47578435b6a5e5dc
SHA1c06f3cd905817d5f0d5a767db90279bff3f8ff07
SHA2566043c3a0e20a37d05cfe892fc0675b4ead941ad7670df809275eb3a1cde49f58
SHA512da3971684e49d12af5bf4a3f7d2b8bbb7ce585e45e0a170863a3e6464a9db59f86a65b9001f4aa145611eb31a57a057f02bab7469ec4525267806077ed4cd74d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
235B
MD5208413840beac2eef5695e6f4325bd82
SHA167efe4c3b108ad4b89bc7f678770d744510cf573
SHA256672128b01e350c1e8cf499b9d84e5f99e78beee91b7aa1bedb50c568b0231d58
SHA5128d3247bc5183dd55f13b76cb8fdbe531c8b6cc559979d09abd02cd59c7c8d0bbbeb1cdb5fe5ea2ab60dc0913abf1c596410168cbcd7b6b8d8eaeb607642a3698
-
Filesize
235B
MD5c9a86ec718f27bb00156e8d25645bbad
SHA1a0020f2fa2b379b4ef2e1af764b468394fe3eccc
SHA256b3bcd71472cdf62f39683ca31ba33b9dff1521c5dba08bf0f06f2983aa360212
SHA5129cfc24d1fb3e9237dd00256ceb045fc3ec75376dd382403e170bd2c98b206ac037976fad1683f49b3334a1c5b29b8e14a10214a58c2e13dfe484426f43fd6d55
-
Filesize
235B
MD56293a4c49ab44775ec735e25249959fc
SHA1b32b7a242442f9d01fabbe3401918ac8bd9bf7d8
SHA256db121a1a4516f0b58dc64ec0349158566466c29718a3d4b6e2fa9843e4edf765
SHA51232406cd485e629c960afd59b4d689933caabd83790bca7a6446d2538b26a248cce9951c55d15c64ddd2448bf5d747a829577f71c6159f5516232f6de6f03676c
-
Filesize
235B
MD520d43a23ca10b364d6cec6dc82b776da
SHA1092150078ee211dd1ee118d05196f40e2aab62be
SHA2566efb0fc0ec4ee1a9e3be56aa83d4dc7776176de405a5a61f8733a318a0863d55
SHA5126fd26026f8e745bfa0d38522a342e91f8a4a04bcd77ae71110dfc607230910c7875186d4c46011e67d0fe9bb371e4b3937f97ff9fd6221922b4f7ab4f137055a
-
Filesize
235B
MD589c5f11e8e81ef9ab8890355a6ca5754
SHA192490ba4059d8be553a124362f83cf839a431bb9
SHA256e907953ad6b0755bc808c601ef0d2e0a25e86d93f0f03bfdebe9597ecdd6a5d3
SHA512823f3952f3116712720285fd3e847415288e064b037e388cb4928477f7b5b0a07936ea8a28e58d26e1bcf1029b7e269610421d003c15d881fec255df79b1a9d3
-
Filesize
235B
MD5056018dca2b417ad696ce9f1ed79ca6d
SHA1ade019b3fecd8ab43db896c7140ae90230085196
SHA2562ec7b1294ccabffe243b72c58a3ebeac76cca25f5503f35b2a925e82a5ddfe2a
SHA5129c0fc7879f4cc0068de1439252d0f2cc583f8867f2169a0a085804934850ed6d39b23c6c71f9e9695e598af4cc564d08b6e0ca83b517d35195e2081fbc5ad113
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RQGUGGRC1MR6UWBNM1IX.temp
Filesize7KB
MD5a11ff2cadc54db1656849d990b8ae89e
SHA174392c907ed77144e274773fd2b479fd250a4a03
SHA256c1c10500315e13a1f080e1ed009cacf61f3d928a2164c9886a2a80d28d3a6a8b
SHA51276ac44bb8e44b0607f6abce1f85a9a48f8ca3f3d8db5384befe259558e135360ddd021b5f4b5199b43af8557ffc07f07523ef18073bfafb951e7f3d5ed340cd8
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478