Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 18:31
Behavioral task
behavioral1
Sample
JaffaCakes118_f9f584cb372ed5fd06b58144b0ef460ae8df787e7ab4ca0144b12b265f4318c9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f9f584cb372ed5fd06b58144b0ef460ae8df787e7ab4ca0144b12b265f4318c9.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f9f584cb372ed5fd06b58144b0ef460ae8df787e7ab4ca0144b12b265f4318c9.exe
-
Size
1.3MB
-
MD5
fa62ef75c9d865cb9787b9663d2c3516
-
SHA1
bfb49c43f89a1910475d4fea15ce336be371f3bf
-
SHA256
f9f584cb372ed5fd06b58144b0ef460ae8df787e7ab4ca0144b12b265f4318c9
-
SHA512
c497ae38f69c62c228591e2a1182353bef89285d89eacfe5a40267d8c834eda3968c62fa69e0d384b4dd01c8c7b23b35f60d09637c3305ef288e9aac52443ee2
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2720 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2720 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2720 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2720 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2720 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2720 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2720 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2720 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2720 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00060000000186f8-10.dat dcrat behavioral1/memory/2120-13-0x00000000003A0000-0x00000000004B0000-memory.dmp dcrat behavioral1/memory/856-50-0x0000000000980000-0x0000000000A90000-memory.dmp dcrat behavioral1/memory/568-110-0x0000000000FF0000-0x0000000001100000-memory.dmp dcrat behavioral1/memory/1368-289-0x00000000000A0000-0x00000000001B0000-memory.dmp dcrat behavioral1/memory/904-349-0x00000000003F0000-0x0000000000500000-memory.dmp dcrat behavioral1/memory/1048-409-0x0000000000BD0000-0x0000000000CE0000-memory.dmp dcrat behavioral1/memory/1960-469-0x0000000000150000-0x0000000000260000-memory.dmp dcrat behavioral1/memory/2908-530-0x00000000000B0000-0x00000000001C0000-memory.dmp dcrat behavioral1/memory/1772-590-0x0000000000F70000-0x0000000001080000-memory.dmp dcrat behavioral1/memory/620-651-0x0000000001020000-0x0000000001130000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 324 powershell.exe 2320 powershell.exe 1048 powershell.exe 540 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2120 DllCommonsvc.exe 856 System.exe 568 System.exe 2932 System.exe 2196 System.exe 1368 System.exe 904 System.exe 1048 System.exe 1960 System.exe 2908 System.exe 1772 System.exe 620 System.exe -
Loads dropped DLL 2 IoCs
pid Process 2952 cmd.exe 2952 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 35 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 4 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f9f584cb372ed5fd06b58144b0ef460ae8df787e7ab4ca0144b12b265f4318c9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2388 schtasks.exe 1912 schtasks.exe 2668 schtasks.exe 2936 schtasks.exe 1660 schtasks.exe 2844 schtasks.exe 2960 schtasks.exe 2560 schtasks.exe 2100 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2120 DllCommonsvc.exe 1048 powershell.exe 324 powershell.exe 2320 powershell.exe 540 powershell.exe 856 System.exe 568 System.exe 2932 System.exe 2196 System.exe 1368 System.exe 904 System.exe 1048 System.exe 1960 System.exe 2908 System.exe 1772 System.exe 620 System.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2120 DllCommonsvc.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 324 powershell.exe Token: SeDebugPrivilege 540 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 856 System.exe Token: SeDebugPrivilege 568 System.exe Token: SeDebugPrivilege 2932 System.exe Token: SeDebugPrivilege 2196 System.exe Token: SeDebugPrivilege 1368 System.exe Token: SeDebugPrivilege 904 System.exe Token: SeDebugPrivilege 1048 System.exe Token: SeDebugPrivilege 1960 System.exe Token: SeDebugPrivilege 2908 System.exe Token: SeDebugPrivilege 1772 System.exe Token: SeDebugPrivilege 620 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2892 2356 JaffaCakes118_f9f584cb372ed5fd06b58144b0ef460ae8df787e7ab4ca0144b12b265f4318c9.exe 31 PID 2356 wrote to memory of 2892 2356 JaffaCakes118_f9f584cb372ed5fd06b58144b0ef460ae8df787e7ab4ca0144b12b265f4318c9.exe 31 PID 2356 wrote to memory of 2892 2356 JaffaCakes118_f9f584cb372ed5fd06b58144b0ef460ae8df787e7ab4ca0144b12b265f4318c9.exe 31 PID 2356 wrote to memory of 2892 2356 JaffaCakes118_f9f584cb372ed5fd06b58144b0ef460ae8df787e7ab4ca0144b12b265f4318c9.exe 31 PID 2892 wrote to memory of 2952 2892 WScript.exe 32 PID 2892 wrote to memory of 2952 2892 WScript.exe 32 PID 2892 wrote to memory of 2952 2892 WScript.exe 32 PID 2892 wrote to memory of 2952 2892 WScript.exe 32 PID 2952 wrote to memory of 2120 2952 cmd.exe 34 PID 2952 wrote to memory of 2120 2952 cmd.exe 34 PID 2952 wrote to memory of 2120 2952 cmd.exe 34 PID 2952 wrote to memory of 2120 2952 cmd.exe 34 PID 2120 wrote to memory of 540 2120 DllCommonsvc.exe 45 PID 2120 wrote to memory of 540 2120 DllCommonsvc.exe 45 PID 2120 wrote to memory of 540 2120 DllCommonsvc.exe 45 PID 2120 wrote to memory of 324 2120 DllCommonsvc.exe 46 PID 2120 wrote to memory of 324 2120 DllCommonsvc.exe 46 PID 2120 wrote to memory of 324 2120 DllCommonsvc.exe 46 PID 2120 wrote to memory of 1048 2120 DllCommonsvc.exe 47 PID 2120 wrote to memory of 1048 2120 DllCommonsvc.exe 47 PID 2120 wrote to memory of 1048 2120 DllCommonsvc.exe 47 PID 2120 wrote to memory of 2320 2120 DllCommonsvc.exe 49 PID 2120 wrote to memory of 2320 2120 DllCommonsvc.exe 49 PID 2120 wrote to memory of 2320 2120 DllCommonsvc.exe 49 PID 2120 wrote to memory of 856 2120 DllCommonsvc.exe 53 PID 2120 wrote to memory of 856 2120 DllCommonsvc.exe 53 PID 2120 wrote to memory of 856 2120 DllCommonsvc.exe 53 PID 856 wrote to memory of 2496 856 System.exe 54 PID 856 wrote to memory of 2496 856 System.exe 54 PID 856 wrote to memory of 2496 856 System.exe 54 PID 2496 wrote to memory of 1440 2496 cmd.exe 56 PID 2496 wrote to memory of 1440 2496 cmd.exe 56 PID 2496 wrote to memory of 1440 2496 cmd.exe 56 PID 2496 wrote to memory of 568 2496 cmd.exe 57 PID 2496 wrote to memory of 568 2496 cmd.exe 57 PID 2496 wrote to memory of 568 2496 cmd.exe 57 PID 568 wrote to memory of 2772 568 System.exe 58 PID 568 wrote to memory of 2772 568 System.exe 58 PID 568 wrote to memory of 2772 568 System.exe 58 PID 2772 wrote to memory of 2532 2772 cmd.exe 60 PID 2772 wrote to memory of 2532 2772 cmd.exe 60 PID 2772 wrote to memory of 2532 2772 cmd.exe 60 PID 2772 wrote to memory of 2932 2772 cmd.exe 61 PID 2772 wrote to memory of 2932 2772 cmd.exe 61 PID 2772 wrote to memory of 2932 2772 cmd.exe 61 PID 2932 wrote to memory of 2016 2932 System.exe 62 PID 2932 wrote to memory of 2016 2932 System.exe 62 PID 2932 wrote to memory of 2016 2932 System.exe 62 PID 2016 wrote to memory of 2428 2016 cmd.exe 64 PID 2016 wrote to memory of 2428 2016 cmd.exe 64 PID 2016 wrote to memory of 2428 2016 cmd.exe 64 PID 2016 wrote to memory of 2196 2016 cmd.exe 65 PID 2016 wrote to memory of 2196 2016 cmd.exe 65 PID 2016 wrote to memory of 2196 2016 cmd.exe 65 PID 2196 wrote to memory of 3028 2196 System.exe 66 PID 2196 wrote to memory of 3028 2196 System.exe 66 PID 2196 wrote to memory of 3028 2196 System.exe 66 PID 3028 wrote to memory of 1904 3028 cmd.exe 68 PID 3028 wrote to memory of 1904 3028 cmd.exe 68 PID 3028 wrote to memory of 1904 3028 cmd.exe 68 PID 3028 wrote to memory of 1368 3028 cmd.exe 69 PID 3028 wrote to memory of 1368 3028 cmd.exe 69 PID 3028 wrote to memory of 1368 3028 cmd.exe 69 PID 1368 wrote to memory of 2892 1368 System.exe 70 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9f584cb372ed5fd06b58144b0ef460ae8df787e7ab4ca0144b12b265f4318c9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9f584cb372ed5fd06b58144b0ef460ae8df787e7ab4ca0144b12b265f4318c9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Users\Public\Documents\My Music\System.exe"C:\Users\Public\Documents\My Music\System.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1440
-
-
C:\Users\Public\Documents\My Music\System.exe"C:\Users\Public\Documents\My Music\System.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2532
-
-
C:\Users\Public\Documents\My Music\System.exe"C:\Users\Public\Documents\My Music\System.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2428
-
-
C:\Users\Public\Documents\My Music\System.exe"C:\Users\Public\Documents\My Music\System.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1904
-
-
C:\Users\Public\Documents\My Music\System.exe"C:\Users\Public\Documents\My Music\System.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"14⤵PID:2892
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2792
-
-
C:\Users\Public\Documents\My Music\System.exe"C:\Users\Public\Documents\My Music\System.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"16⤵PID:2388
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1260
-
-
C:\Users\Public\Documents\My Music\System.exe"C:\Users\Public\Documents\My Music\System.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"18⤵PID:576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:948
-
-
C:\Users\Public\Documents\My Music\System.exe"C:\Users\Public\Documents\My Music\System.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat"20⤵PID:1472
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2416
-
-
C:\Users\Public\Documents\My Music\System.exe"C:\Users\Public\Documents\My Music\System.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"22⤵PID:3008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1656
-
-
C:\Users\Public\Documents\My Music\System.exe"C:\Users\Public\Documents\My Music\System.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"24⤵PID:776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1948
-
-
C:\Users\Public\Documents\My Music\System.exe"C:\Users\Public\Documents\My Music\System.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Music\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59eb323e5e2160ac37f0565e89f65a68c
SHA178afb8ca25a27caf5a51f534bed7c0dfc630f9fb
SHA256165aae60f592aff48f99a3ce3c0eb93220731b7288207552f40a03ad62c13f18
SHA5129e759a554d860bc533472a13c6615a3fb04ec101906379cc67dc4693277be71f8d63bdd5c120ca990e964386ac0e4a13b84c0532a2fb17176bf0e93c55d03adc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD513e78a9883cbe5c7e7515c687afbd567
SHA197e21dfa5366a7d4b08e119ce0dc8119bf838f02
SHA2565939e11772dc6239a5caecb86fb053cde3a885bd69c0a2edff83cbee3d2fbcf4
SHA512218043ff4a2cc81a94cc9277e763b882fe389358edc2ee1912b89adcf0646602027e89946ef04cf89fd49444e4f91fcdf69790f6544e9a3444cbe09d8751eddd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5185e94fcdcd83ebe84cfd1b2454df43e
SHA1b55f569fca5dd30f0c36130f48f0d4d9ece98fee
SHA256648228aee9c391109055e102efcbedb4f9c3171c2140f1eb62a73fcd687fcf18
SHA5127d1f9b849ea4d17f0c2f667ee886940a456f917067790b711fc8b879938515b38abf7f4cd211e88362b6ed4a574005ac3f3d1840372081a3f41cbced40ce332d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51afce96636f8b8a1ea1ace21a204cc21
SHA1aee3f59672a800d0db0da2af810f045164d0ac75
SHA2566185ba333962bda778b39349db65a8c8fada2f5d24b7a23c7224b8cd027ae5b3
SHA512d56b7e596ba53186755416ecb2c1b0fa7dc8cefa252357a606981ccc31fd7cc4e20446c17b83b183a7fb70d6a878be92beefda2021a77959127035e2279d7ce3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD521182c2e11ccaac8f2f9b5c6c0cdaa7c
SHA1f103ddbc69277796e1ac8e67c497ef1f6d03e386
SHA256deca53dc4b12dcdc29efa81753663ec1d35b7520c34aa15aff27aececb5f81b6
SHA5128390ff20a27d9fc960e4eb38452a21b83f7587037f14d1c05884e3d94be5f63220d66b370c2cb1ddb179cf8c4f61156ab1c1585f12f7699871e47633a75a8fb8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD502d53b98aaafaaa9835cf461e00bee8e
SHA1a9ac9a5b9e34dc3d05e61b570f703deab11b08b3
SHA256bcd3e1de56e27db286cc123dff4124f85df0d89739d340ea14ce1ad9dfde979d
SHA512e44e49f1017e8965dbc0060df871d0871af40466a54ef949f08f71390526a9fa9a93703e1873dbfec57f9d6b992b3d9e7c8e41fe82a446e5660c4655235e7bd6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5916c41704c1abade1e242dcd7bbb632f
SHA102f565290942e52cc68fc6bc0dd24952f64aca98
SHA256500b3919f0afa617ad3cdb4f58019493616deb7c2d65aa708214a2f1595caada
SHA512dc1029b2d35ebfe4d7a715a32450f225531c05391c6c507a2474b013f00115119f9af049515d45146d40195ee216b456805fece44c10322c2cf76f1031d685b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD581117003a999a9cad0a69b7d361e8e8e
SHA1eccee880e8ac99b35d61ea5a6da4f4c4af3aa938
SHA2566c37bb7db7c591f726f6e9f6a59a74fe022f3491b8399f3a6c7179bc952ccc3a
SHA512f27d181ba475751d189a2f50644111bdc3f8015810e9a2b2133350ec5644dd871b20f9bcf7cc320aaa04fb081af3854c7bbbc1e902b8097b4660de9a40aac284
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59b7da1008aa96f4020391fb623ee09e2
SHA179813e8df89635995a058e598bcca276bee982b1
SHA2567e4b86e6bff5e5e2b47a4396925b4a771743693044992132ac00d33073d9937f
SHA5122d8bcb0cc0afd46ea47b5caeca33fbd98c9221aae3476f80feeb8c5186421e59faa014815ffbc4e6c2ee86a760cd8604fdb0bf169b33216246ba1009c5e6d96e
-
Filesize
210B
MD523a3068e89865ff7b66f29d4b208a205
SHA15dbd19b8b596a43a8595e917594dcf5c409ed3ba
SHA25695e63659daff6f1a332f923cbe7a83e248be86b4d27b3e0cf1bdd3d8da2f800b
SHA5129181ebc3fcfcff49d96e831c404f59eb7d114dba49ce1ff6eca4acd0d119b1e9fbbffbe562ec2a14a4cc3137686a93d255e1a68174000a79ecc6deb642ef659f
-
Filesize
210B
MD5cdf4f8715806c7e7e5e2aaa9666f9c1a
SHA1a01811253b63cc8293d1a27f95ce90f1128206f4
SHA256324575263209f94489e5a130449d7cdf30a0b618e0bc9565bf18d2e4aa37d8ac
SHA512fecf7bd3bc6c767430acb1367172015727a9cc117e9df676f842731d8bd26701a1cb26a9f9f8374677ef644d34c844d8dd933728e4ca3d168c27b6fb0ba15d6e
-
Filesize
210B
MD5fbfb7a3736d1334111f92c369a83184a
SHA10ec8962316a4b8ef8ba55b179605dcc0282ae741
SHA25661e85605b4978506731f249536f8fe059488116e388775e1af380e19391300fc
SHA5121fa4a36f6419a811aa60412852c05586e48ae69a84362d4dd7bef89ffcb881bf3705bac3405f2821e57fd296114c5bf333cad597f6e4409710bf123e52f0d416
-
Filesize
210B
MD5e1eceaaa6297f2f8e13ae78bc668c528
SHA1e90afd241b4b3a25869d956e31c502b9a5551eec
SHA2567b4d30e58f985d3f6ea88e1c4cf859f3b56b65a283e2d5e60d221bebc35f3647
SHA5128639e731c5f9c117801a2dc13e01c7543b23d79a38e4f18cef31db45826e4e12a012e30e87fdc11101b327ff1157fd9355e3d9698a485a81f71e5725bd221f6b
-
Filesize
210B
MD5e7e87489733d3a67b2af63bf489bdc17
SHA11ff9b05e1a1ff1c749241d599930d46521f3f54a
SHA256232c717780b1db394f285fe9c6b2c9ecfbe21db36b3a3790a24e5304e61aec10
SHA5127c127ef191bcdee6d8822fc95eb49d1a35a843701330191deeaf89f6af943820666568309e33c882304e4dc087975845d2eaa0b7db7dfa1b23867923eee9fb14
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
210B
MD59f4dbecc083ef554ffc2611bb578a86d
SHA1b1de837d964fa13e73449fc4dcd4f0481e7c1978
SHA256a9dfb5fc73cf29438adb314a4448726b3da6404815edd3ee8a6be18c3ea908a9
SHA512472f6da95c6cd8269ed30dd865da81c1bf864fb2f1b11fbc7d9b2b29cc19f5315d3fa8e5718e6622b2267e06fada653d2af2d6853d0c5259c34304794a6d0cfd
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
210B
MD56443f034a90fa60cad377972cc2a8e16
SHA15d7fad9dee0c4ce1d1a99e31b7d50c6b55ee1ca0
SHA256bdde615749d13723e604a7285c29aee8adb2ea6b5f93af13b2a5b88cae73ef6f
SHA512ef945fb05c2f25fe2fad8dd380dbde7f93851148da9e15ba27a53378503bc1b397f56e4701b98f3b0a873843e32e7b54ca2f3879912b86cf04a4052a342b89da
-
Filesize
210B
MD5b34f3f5ea0853a938f4fcb7480dd0795
SHA150be7699413b1ad9904c4619ee4182bc2f56036f
SHA256f0b431a865d2ebf528b31190a4d5c94f6da0997d0615c371d7464b1b467f29d7
SHA5127c32bdd252305f5be4ff1f03709b272334a6dc59a92ddb1e9e73a9dae9f28bb7b64bd7e324cbfb9a2f9013f4ae7d4b700782a56a47ca08a13f060348b3b86081
-
Filesize
210B
MD53c1df9d60a2b1e2ac28e027c90776990
SHA187cb97957cc1f5cde9e256c2cd707879caa8043f
SHA25608d1c5d38782bd83e84a0134e0f5c96301a3cab18ff333b06e5e190e691a4d69
SHA5129d25735f92dc0f0d88fa233121d83c52d6ac00562928c046477a2fa55e9e3a713a444a78f8eb8510299bf9fa3273e10469eda6c5a842c515bcbe0d6ab7626d54
-
Filesize
210B
MD51e7b3b6769ca9d79cb257fc1de5244d6
SHA10921061d89cf0578a13a5d4c96ddff9720e225ec
SHA2564e57689c6f0b115497af8115160d11f87271a8943175dbac250a8fe900701410
SHA5125b07bba7b0d87ac2cc8d31efdc82a2a08ae40c5ff39870d8bf3439908e3c1fe6460a16dddeb3ce9c9b66ee59fe16de754601d0307c08619ef202504ce39f6e9c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50ad7bb8252c971dd4a48cafc769059f7
SHA18d4b9a9e783856278458239bb6956a8cb1e241c4
SHA2566ed9e90f30f3b30c8630ba044f32e06889db8fcb2b311eb4a0eeb27d01ed736c
SHA512406cfe2a665e84d3977f23e268748718169f78f1c4f574da5f1c90c1d7ea93e757f17312d62784aa1bbb35d41907f4d022156ba96c037a1e14ca366757e9ba9e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478