Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 23:21
Behavioral task
behavioral1
Sample
JaffaCakes118_3cef79896027667329445893f16586fbb058bab5261e3b92e0d9cf3f7b877287.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_3cef79896027667329445893f16586fbb058bab5261e3b92e0d9cf3f7b877287.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_3cef79896027667329445893f16586fbb058bab5261e3b92e0d9cf3f7b877287.exe
-
Size
1.3MB
-
MD5
76a688820a85b18f8ec7623d5b013d37
-
SHA1
01688be448bb5a48626a9e1f86291d32a80902d1
-
SHA256
3cef79896027667329445893f16586fbb058bab5261e3b92e0d9cf3f7b877287
-
SHA512
152419bb7f10733886bb2f239a1bb4ab6b2e337a9d2529de682289b3408c023f2322c49fea5c5d764685e013f7093c11c78dc0792d945e89e11ecfe6ffd01961
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2688 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2688 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2688 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2688 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2688 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2688 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2688 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2688 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2688 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2688 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2688 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2688 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016dc0-9.dat dcrat behavioral1/memory/2940-13-0x0000000000CF0000-0x0000000000E00000-memory.dmp dcrat behavioral1/memory/1868-59-0x0000000000920000-0x0000000000A30000-memory.dmp dcrat behavioral1/memory/2844-118-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/2904-178-0x00000000009A0000-0x0000000000AB0000-memory.dmp dcrat behavioral1/memory/2940-238-0x0000000001150000-0x0000000001260000-memory.dmp dcrat behavioral1/memory/2208-417-0x00000000003F0000-0x0000000000500000-memory.dmp dcrat behavioral1/memory/2272-478-0x0000000001330000-0x0000000001440000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1996 powershell.exe 872 powershell.exe 2112 powershell.exe 2028 powershell.exe 2872 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2940 DllCommonsvc.exe 1868 System.exe 2844 System.exe 2904 System.exe 2940 System.exe 976 System.exe 3040 System.exe 2208 System.exe 2272 System.exe 1960 System.exe 536 System.exe -
Loads dropped DLL 2 IoCs
pid Process 2828 cmd.exe 2828 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 37 raw.githubusercontent.com 5 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 31 raw.githubusercontent.com 34 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 27 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3cef79896027667329445893f16586fbb058bab5261e3b92e0d9cf3f7b877287.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2360 schtasks.exe 1888 schtasks.exe 1476 schtasks.exe 2128 schtasks.exe 536 schtasks.exe 2036 schtasks.exe 3008 schtasks.exe 3012 schtasks.exe 2816 schtasks.exe 1748 schtasks.exe 2120 schtasks.exe 1916 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2940 DllCommonsvc.exe 872 powershell.exe 2872 powershell.exe 1996 powershell.exe 2028 powershell.exe 2112 powershell.exe 1868 System.exe 2844 System.exe 2904 System.exe 2940 System.exe 976 System.exe 3040 System.exe 2208 System.exe 2272 System.exe 1960 System.exe 536 System.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2940 DllCommonsvc.exe Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 1868 System.exe Token: SeDebugPrivilege 2844 System.exe Token: SeDebugPrivilege 2904 System.exe Token: SeDebugPrivilege 2940 System.exe Token: SeDebugPrivilege 976 System.exe Token: SeDebugPrivilege 3040 System.exe Token: SeDebugPrivilege 2208 System.exe Token: SeDebugPrivilege 2272 System.exe Token: SeDebugPrivilege 1960 System.exe Token: SeDebugPrivilege 536 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2836 2876 JaffaCakes118_3cef79896027667329445893f16586fbb058bab5261e3b92e0d9cf3f7b877287.exe 30 PID 2876 wrote to memory of 2836 2876 JaffaCakes118_3cef79896027667329445893f16586fbb058bab5261e3b92e0d9cf3f7b877287.exe 30 PID 2876 wrote to memory of 2836 2876 JaffaCakes118_3cef79896027667329445893f16586fbb058bab5261e3b92e0d9cf3f7b877287.exe 30 PID 2876 wrote to memory of 2836 2876 JaffaCakes118_3cef79896027667329445893f16586fbb058bab5261e3b92e0d9cf3f7b877287.exe 30 PID 2836 wrote to memory of 2828 2836 WScript.exe 31 PID 2836 wrote to memory of 2828 2836 WScript.exe 31 PID 2836 wrote to memory of 2828 2836 WScript.exe 31 PID 2836 wrote to memory of 2828 2836 WScript.exe 31 PID 2828 wrote to memory of 2940 2828 cmd.exe 33 PID 2828 wrote to memory of 2940 2828 cmd.exe 33 PID 2828 wrote to memory of 2940 2828 cmd.exe 33 PID 2828 wrote to memory of 2940 2828 cmd.exe 33 PID 2940 wrote to memory of 872 2940 DllCommonsvc.exe 47 PID 2940 wrote to memory of 872 2940 DllCommonsvc.exe 47 PID 2940 wrote to memory of 872 2940 DllCommonsvc.exe 47 PID 2940 wrote to memory of 2872 2940 DllCommonsvc.exe 48 PID 2940 wrote to memory of 2872 2940 DllCommonsvc.exe 48 PID 2940 wrote to memory of 2872 2940 DllCommonsvc.exe 48 PID 2940 wrote to memory of 1996 2940 DllCommonsvc.exe 49 PID 2940 wrote to memory of 1996 2940 DllCommonsvc.exe 49 PID 2940 wrote to memory of 1996 2940 DllCommonsvc.exe 49 PID 2940 wrote to memory of 2112 2940 DllCommonsvc.exe 50 PID 2940 wrote to memory of 2112 2940 DllCommonsvc.exe 50 PID 2940 wrote to memory of 2112 2940 DllCommonsvc.exe 50 PID 2940 wrote to memory of 2028 2940 DllCommonsvc.exe 51 PID 2940 wrote to memory of 2028 2940 DllCommonsvc.exe 51 PID 2940 wrote to memory of 2028 2940 DllCommonsvc.exe 51 PID 2940 wrote to memory of 2176 2940 DllCommonsvc.exe 57 PID 2940 wrote to memory of 2176 2940 DllCommonsvc.exe 57 PID 2940 wrote to memory of 2176 2940 DllCommonsvc.exe 57 PID 2176 wrote to memory of 2232 2176 cmd.exe 59 PID 2176 wrote to memory of 2232 2176 cmd.exe 59 PID 2176 wrote to memory of 2232 2176 cmd.exe 59 PID 2176 wrote to memory of 1868 2176 cmd.exe 60 PID 2176 wrote to memory of 1868 2176 cmd.exe 60 PID 2176 wrote to memory of 1868 2176 cmd.exe 60 PID 1868 wrote to memory of 1540 1868 System.exe 62 PID 1868 wrote to memory of 1540 1868 System.exe 62 PID 1868 wrote to memory of 1540 1868 System.exe 62 PID 1540 wrote to memory of 2576 1540 cmd.exe 64 PID 1540 wrote to memory of 2576 1540 cmd.exe 64 PID 1540 wrote to memory of 2576 1540 cmd.exe 64 PID 1540 wrote to memory of 2844 1540 cmd.exe 65 PID 1540 wrote to memory of 2844 1540 cmd.exe 65 PID 1540 wrote to memory of 2844 1540 cmd.exe 65 PID 2844 wrote to memory of 2192 2844 System.exe 66 PID 2844 wrote to memory of 2192 2844 System.exe 66 PID 2844 wrote to memory of 2192 2844 System.exe 66 PID 2192 wrote to memory of 1708 2192 cmd.exe 68 PID 2192 wrote to memory of 1708 2192 cmd.exe 68 PID 2192 wrote to memory of 1708 2192 cmd.exe 68 PID 2192 wrote to memory of 2904 2192 cmd.exe 69 PID 2192 wrote to memory of 2904 2192 cmd.exe 69 PID 2192 wrote to memory of 2904 2192 cmd.exe 69 PID 2904 wrote to memory of 2168 2904 System.exe 70 PID 2904 wrote to memory of 2168 2904 System.exe 70 PID 2904 wrote to memory of 2168 2904 System.exe 70 PID 2168 wrote to memory of 1092 2168 cmd.exe 72 PID 2168 wrote to memory of 1092 2168 cmd.exe 72 PID 2168 wrote to memory of 1092 2168 cmd.exe 72 PID 2168 wrote to memory of 2940 2168 cmd.exe 73 PID 2168 wrote to memory of 2940 2168 cmd.exe 73 PID 2168 wrote to memory of 2940 2168 cmd.exe 73 PID 2940 wrote to memory of 912 2940 System.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cef79896027667329445893f16586fbb058bab5261e3b92e0d9cf3f7b877287.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cef79896027667329445893f16586fbb058bab5261e3b92e0d9cf3f7b877287.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4kaJnY8jMt.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2232
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2576
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1708
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1092
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat"13⤵PID:912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2152
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"15⤵PID:2164
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1748
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"17⤵PID:2496
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1576
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat"19⤵PID:1560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2232
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"21⤵PID:2860
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:3036
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"23⤵PID:2384
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1904
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"25⤵PID:1776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5add444f5671d5b49840d0a2131f95f66
SHA1bb8f4b2a256dc836088011cad730504300f7da5a
SHA2563bd70e3b0ec00581ac2395ac66af2d2c9321a390d74389dbc896779da9b9e3df
SHA512257c2f80178658c33962d608afec783bcaa13cbc05511a3e47542944327dce3e97db4c01f025d6ee6689debd8f5e6bd0a5065211765c7f9b55b060dc471789aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5566681d5b146dcc92c11448d5935cb57
SHA1c3510a97c73889703a002af3f454fb2e6e774b53
SHA256c3a518bd3a5f05bbce2b559d74f32daeba83fdcfc35ce3355fa8b10a0345782f
SHA512da5bf04fc7aa449d30fad97eab8c04143f7a4b641b8e478c64862eeed44726ae8f4275101ad5a807585b584c21c5e879df44f68eab222b61e25444796dcec3f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52ece1851999c8c85a83f42527323ddc0
SHA1efb98d42869726eee888a217f83ca4c377ed1660
SHA256c3d8368c4960046aff63c0bdd6c279681823ae453cecf5a8548f68aaa8096444
SHA51280af5dea87695a338f4a24ef198133e049c190b96e1c35d2110c898db32d4eb3ece412f395d25f22ae6305141462f4b528a9c22b2ba93415e81e76732e267008
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5752bbe3da3f19c955b533a0e5bb4fb7d
SHA170b980195d785b26ea221ba36f92cf069304b727
SHA256481f82147bb311726498ac081b6174c3e3a743d6f8c5055ab36eb333a68d7c1d
SHA512fbfdafbbd585b34e62c92d927ec4e0ffc75fd6b24f0b6886804cf8918c9263cd34bc68e13290059157fd75e3a909a5b2e6d7886c01f64db7e4360357e6328cf2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53cffc801ed1d767b8cc62985e2b3be71
SHA1a610d172150cd0e916a59bbece48a175c6f7b3ee
SHA2568c6d4335a22fe58a195fb5e77de5eb80e064291a98ee825b0785aa2a63969a0a
SHA512d04d19ca3fd1d5cbaa1d41774a708763d5b2cd18d7e64faec0b22b1f7422b87f0f4c872a9f12f823e0b61382c9bff71581d9dbd37cd32331c33c841e8f04eae5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5608393136a895b9c01c08d7012711e29
SHA116d3fcab8c1cc4cb1157e302046fd2251c52465b
SHA256ccdebf0b2b683604758fbf893e7602608c81cd05c2b5a65200fe587f6df4060d
SHA512222a27160eff2ef14aa874bb2e8b11aa3deb07dfd44125127d1009c5eebb9525fd770d1ff8062b92a786875016a096021cf69ab880293645aa5a2c4aaeff859e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50fca257f8b6f99007ea69c06f043b8be
SHA18dd144368428599c72715fa810afcab5bb9729e4
SHA256ac48b7257138642704afbcdfa2c5ec677b2c5ec3c9cdc3448f9d967dd8082288
SHA512bb92d0b8b651bb7465dc1ee4254ef6781db48243f9480d49009cc8fe1ab19afa92e495c42d6d2341f17083ddcd9353a73240d62d429356cf75e5f6507f2e3a51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50ed32d5d146909907660f0c7c3bf800a
SHA13388ba8e5f312a89c292732fe1e91bac79364beb
SHA256a1f65359abdac2dd58db2a935cc62337ae5c4585947356bcf1d06843c7468455
SHA512542d05666180a0b2f5e93235249fa17a976709fc6a8ced2c16a5697484cc37cd1aa7026a33c7b54efd4e1556e4311480b47e95ac5f77f3bae6eac59a1ad1af82
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5787c0aecb3b186bc58915d2d6a13357d
SHA158a2c111549412e3f93b827c84076be276ef351f
SHA25672ced12752f0af1efaa42f9c268f4209484d9457d0fb8b2fc28983674b30c25d
SHA512d8fab1dba82ed0736e981cf55ea3c505de22e7a6ec4404fcf552d3f9f3bc7381633c85c6e5934a7d3499794c46ecd0c1092d74fb8028a4d115cf07c05aee5855
-
Filesize
224B
MD59c9343e199964e5904551f0488d8517d
SHA1cc016bb9d20f902f4838f0ba7b5d426bc3a622a5
SHA256f97809650919a75a61611657279197a32e50c9f8c87453cc060384ca0ba3e37f
SHA512e7c5c662bf9248e827e8250a6db4d49ef0a030c159ddbf89b56fc2ad17c4a77846bc3d18b206cf6b0d8a7f156913fb5f3b9e83830cb4ee7d83abe73c9aabd7ba
-
Filesize
224B
MD503c757963001cb9b790f471108d3175f
SHA162c75e45f80c3f93833a1457a68f2e2febb3f7f9
SHA256df68a91fe87ac616bf36d334903c72307c37c82b55372ff6b6255a34ad3dd2f2
SHA512f7509df2add0132f868aab47fdb9cfa0b398c8316cfd3f5f1c741c1c15c5412a01cc7e17632bf886302899a53ccf15c502877d4d94ffdb222f999d8d62d05a43
-
Filesize
224B
MD51b66d917034a87d6b6945f37acf6fad7
SHA193c73e1e4f3124521abe984a71e75d9e38984734
SHA2563f781a6adde1b211036361e1b121cceba6e2d4187844b6c00b9d65ee9ea80d47
SHA51259190ed6c33b2643be9b2c1a625a4a5e2214750a13175e8f34487fc190ea58d437bbd50714efff46994299e91f8e2e14b5ffe3700ddc289830a5290bf4feb694
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
224B
MD52850878816bfba133a460ef2aba66def
SHA1ddcaa861747579124377ca19a5c9225894bc2768
SHA256d277095ccd7ed58216f874129069018a562d537aba3d2924f933f9530ccf4328
SHA5120b53dbc4631297fef4f2bf866dd863a7f5181d67c6e93abae0b44f71d626e9f016709a4b7fd0696ac26195b573ec5a74261c3a3f658e5c78b300c12d433bf52a
-
Filesize
224B
MD502bb800ea3a5992d5eef57805e4fb776
SHA1fde6117c5c5fc3c0fb02831db3cae581115072c9
SHA25612a27c2291e1db24f85cdc46b5eccf22d7bd6ee931790747115d00a2b1891da9
SHA512c770a5304e640147275cf7413d04213f7dfaade5e67f5e230f2bb5d2f6eda462edc2c7982fc7c741e90facf11182978cc7bf393a75b2b38f4c66bd5bcb2144a1
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
224B
MD5ab9bda4b2b28372252726cddd4e121b5
SHA187b773ac7688148c094784e1a99a6d6730d08d27
SHA256ef11c595b2472e00ef61b8dad7127c9eae58690f3b54e7336004283a58e95c41
SHA5124eaece822e40db904efc822e5628a8147e2f56752f3188edd5aa5d30bc8045fdb1f6b7327c7cb655f209582a8db6c98cd8cb77c278bd1c0f01438cee58b96949
-
Filesize
224B
MD5ad17093a97133d9561bb23675f0dedab
SHA1a239d130ec33e683760b619648b12149f12b1929
SHA256cd92c68df2d6df2e27ef8c593c4d52e5f111c5b4e5f6af0d91a4381ee57923c4
SHA512be14a8d116dc8d247f0f1a0dc6142f93d91b8105acecd6d31e91e02b6f28bcbdc5d0c940be93b89424f3dbfded2e1162bc01d928058301240e5790188af31b47
-
Filesize
224B
MD5a5254a3a1166d29f819458e7c3726a7c
SHA1d89ecc207dce50ff08d4665c3e277d461a2eb111
SHA256398b40cefcc8d7f3fdec6343c89ae21099b2bfc2d48897355cd76cab80c95c79
SHA51226ee0d0eee54ae4f694154d0b6d9970ef03f5e9d7cacb91be4d2ff0c6485d837df53906d03ed81d33bed0c0b893c5e4114fb633d40de0667d7cfe78222c2c423
-
Filesize
224B
MD5e943e2126ecf8e5ce99075b729b61333
SHA1adee0adf596a25e4b8d2976b02f7ce2f51833a34
SHA25691b5018a477ccc7d4288adcbfaaaf83a01614ac5acea12679856f26a6f03fc60
SHA51278724f88bfd2e17f5a3de05c4c86f485ce7fc40c2785654cb8d29a618cbc94b9b10574c9850a747cab24c211457549c307d46851ec9b74c941407ebcc21ac95e
-
Filesize
224B
MD520c1cae7d20c497a377ee4f8cee1268a
SHA1a2a68573fd4fba3c76da65fddba71b1650b33719
SHA2560014ff8944bd61508d6bf457e327176e2f7693b1ed77584232e8b58d53937239
SHA512fd2f8e953c3225464f8b6028f7fe9ff7be6007ac6d209bd0d3ec5010c10361383d6182514a98399ea8f5a004da3a4cf847ab52ef7b2204306e673c92ea921089
-
Filesize
224B
MD582c59148e225ae0c2b256ded2f78a5a2
SHA191f0d3551800248f23db43131adb1b78afbb755b
SHA2568b4925a6da39284c3673123bccfea11fa22553a80584ee0489029f7e90f40147
SHA5127b2c4726c11a3cb05e0191614cac4b5a763c0e4122d843a20634be6dbd6dd37d27a8c9979e80c82f16dc409a775943dd7276314a97101892d5e75560d3beadb2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3M9WEIA7UX0KI9HM52LH.temp
Filesize7KB
MD5001882c361d3586b74c379dca7b53483
SHA1d40e9753ed1099e83ddc70a8b9f54a9417b7b783
SHA256f4ad1845ca4ee7926aed63be873a925ed8a614fad03f83734bb8693c063fccef
SHA512a4f922adc9c167d8a4d07814c973fdded89de5533107606e1e694860ebeac7250eca7271819619d65011c22a99fbe5dedf3168a6e6270438ae5a524cec302505
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394