Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 18:44
Behavioral task
behavioral1
Sample
JaffaCakes118_d45d4d784123c3061ee72ee15013609475ab5c0a1900a911e7073ac53f12e0ac.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d45d4d784123c3061ee72ee15013609475ab5c0a1900a911e7073ac53f12e0ac.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d45d4d784123c3061ee72ee15013609475ab5c0a1900a911e7073ac53f12e0ac.exe
-
Size
1.3MB
-
MD5
de9d59b0b2e8f3b8d08f050fc91afda0
-
SHA1
32979dea57a5fb6281d15156b98fbc6c4be0e6e0
-
SHA256
d45d4d784123c3061ee72ee15013609475ab5c0a1900a911e7073ac53f12e0ac
-
SHA512
e3792b664d012e0ab4b4117167ffbb169a76bcc27491f63298bfeaac67486d2f2535480c7e126a53669f3816cd884919741e9324897b44fdd4adf052974b8a09
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2768 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2768 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2768 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2768 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2768 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2768 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2768 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2768 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2768 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00060000000186f8-10.dat dcrat behavioral1/memory/2232-13-0x0000000000BC0000-0x0000000000CD0000-memory.dmp dcrat behavioral1/memory/904-52-0x0000000000A60000-0x0000000000B70000-memory.dmp dcrat behavioral1/memory/1876-111-0x0000000001370000-0x0000000001480000-memory.dmp dcrat behavioral1/memory/1796-290-0x0000000000290000-0x00000000003A0000-memory.dmp dcrat behavioral1/memory/1604-350-0x00000000008B0000-0x00000000009C0000-memory.dmp dcrat behavioral1/memory/1824-411-0x00000000000C0000-0x00000000001D0000-memory.dmp dcrat behavioral1/memory/1360-471-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/2628-531-0x0000000000AA0000-0x0000000000BB0000-memory.dmp dcrat behavioral1/memory/2820-591-0x0000000000CC0000-0x0000000000DD0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1320 powershell.exe 1756 powershell.exe 1360 powershell.exe 1704 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2232 DllCommonsvc.exe 904 smss.exe 1876 smss.exe 3060 smss.exe 1812 smss.exe 1796 smss.exe 1604 smss.exe 1824 smss.exe 1360 smss.exe 2628 smss.exe 2820 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 112 cmd.exe 112 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 22 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 15 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Windows Defender\DllCommonsvc.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d45d4d784123c3061ee72ee15013609475ab5c0a1900a911e7073ac53f12e0ac.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2752 schtasks.exe 2592 schtasks.exe 2632 schtasks.exe 2396 schtasks.exe 2624 schtasks.exe 2972 schtasks.exe 320 schtasks.exe 2988 schtasks.exe 3064 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2232 DllCommonsvc.exe 1360 powershell.exe 1704 powershell.exe 1320 powershell.exe 1756 powershell.exe 904 smss.exe 1876 smss.exe 3060 smss.exe 1812 smss.exe 1796 smss.exe 1604 smss.exe 1824 smss.exe 1360 smss.exe 2628 smss.exe 2820 smss.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2232 DllCommonsvc.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 904 smss.exe Token: SeDebugPrivilege 1876 smss.exe Token: SeDebugPrivilege 3060 smss.exe Token: SeDebugPrivilege 1812 smss.exe Token: SeDebugPrivilege 1796 smss.exe Token: SeDebugPrivilege 1604 smss.exe Token: SeDebugPrivilege 1824 smss.exe Token: SeDebugPrivilege 1360 smss.exe Token: SeDebugPrivilege 2628 smss.exe Token: SeDebugPrivilege 2820 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2300 2100 JaffaCakes118_d45d4d784123c3061ee72ee15013609475ab5c0a1900a911e7073ac53f12e0ac.exe 31 PID 2100 wrote to memory of 2300 2100 JaffaCakes118_d45d4d784123c3061ee72ee15013609475ab5c0a1900a911e7073ac53f12e0ac.exe 31 PID 2100 wrote to memory of 2300 2100 JaffaCakes118_d45d4d784123c3061ee72ee15013609475ab5c0a1900a911e7073ac53f12e0ac.exe 31 PID 2100 wrote to memory of 2300 2100 JaffaCakes118_d45d4d784123c3061ee72ee15013609475ab5c0a1900a911e7073ac53f12e0ac.exe 31 PID 2300 wrote to memory of 112 2300 WScript.exe 32 PID 2300 wrote to memory of 112 2300 WScript.exe 32 PID 2300 wrote to memory of 112 2300 WScript.exe 32 PID 2300 wrote to memory of 112 2300 WScript.exe 32 PID 112 wrote to memory of 2232 112 cmd.exe 34 PID 112 wrote to memory of 2232 112 cmd.exe 34 PID 112 wrote to memory of 2232 112 cmd.exe 34 PID 112 wrote to memory of 2232 112 cmd.exe 34 PID 2232 wrote to memory of 1320 2232 DllCommonsvc.exe 45 PID 2232 wrote to memory of 1320 2232 DllCommonsvc.exe 45 PID 2232 wrote to memory of 1320 2232 DllCommonsvc.exe 45 PID 2232 wrote to memory of 1756 2232 DllCommonsvc.exe 46 PID 2232 wrote to memory of 1756 2232 DllCommonsvc.exe 46 PID 2232 wrote to memory of 1756 2232 DllCommonsvc.exe 46 PID 2232 wrote to memory of 1360 2232 DllCommonsvc.exe 47 PID 2232 wrote to memory of 1360 2232 DllCommonsvc.exe 47 PID 2232 wrote to memory of 1360 2232 DllCommonsvc.exe 47 PID 2232 wrote to memory of 1704 2232 DllCommonsvc.exe 49 PID 2232 wrote to memory of 1704 2232 DllCommonsvc.exe 49 PID 2232 wrote to memory of 1704 2232 DllCommonsvc.exe 49 PID 2232 wrote to memory of 2124 2232 DllCommonsvc.exe 53 PID 2232 wrote to memory of 2124 2232 DllCommonsvc.exe 53 PID 2232 wrote to memory of 2124 2232 DllCommonsvc.exe 53 PID 2124 wrote to memory of 3044 2124 cmd.exe 55 PID 2124 wrote to memory of 3044 2124 cmd.exe 55 PID 2124 wrote to memory of 3044 2124 cmd.exe 55 PID 2124 wrote to memory of 904 2124 cmd.exe 56 PID 2124 wrote to memory of 904 2124 cmd.exe 56 PID 2124 wrote to memory of 904 2124 cmd.exe 56 PID 904 wrote to memory of 3008 904 smss.exe 57 PID 904 wrote to memory of 3008 904 smss.exe 57 PID 904 wrote to memory of 3008 904 smss.exe 57 PID 3008 wrote to memory of 2400 3008 cmd.exe 59 PID 3008 wrote to memory of 2400 3008 cmd.exe 59 PID 3008 wrote to memory of 2400 3008 cmd.exe 59 PID 3008 wrote to memory of 1876 3008 cmd.exe 60 PID 3008 wrote to memory of 1876 3008 cmd.exe 60 PID 3008 wrote to memory of 1876 3008 cmd.exe 60 PID 1876 wrote to memory of 2892 1876 smss.exe 61 PID 1876 wrote to memory of 2892 1876 smss.exe 61 PID 1876 wrote to memory of 2892 1876 smss.exe 61 PID 2892 wrote to memory of 1992 2892 cmd.exe 63 PID 2892 wrote to memory of 1992 2892 cmd.exe 63 PID 2892 wrote to memory of 1992 2892 cmd.exe 63 PID 2892 wrote to memory of 3060 2892 cmd.exe 64 PID 2892 wrote to memory of 3060 2892 cmd.exe 64 PID 2892 wrote to memory of 3060 2892 cmd.exe 64 PID 3060 wrote to memory of 2428 3060 smss.exe 65 PID 3060 wrote to memory of 2428 3060 smss.exe 65 PID 3060 wrote to memory of 2428 3060 smss.exe 65 PID 2428 wrote to memory of 1320 2428 cmd.exe 67 PID 2428 wrote to memory of 1320 2428 cmd.exe 67 PID 2428 wrote to memory of 1320 2428 cmd.exe 67 PID 2428 wrote to memory of 1812 2428 cmd.exe 68 PID 2428 wrote to memory of 1812 2428 cmd.exe 68 PID 2428 wrote to memory of 1812 2428 cmd.exe 68 PID 1812 wrote to memory of 2116 1812 smss.exe 69 PID 1812 wrote to memory of 2116 1812 smss.exe 69 PID 1812 wrote to memory of 2116 1812 smss.exe 69 PID 2116 wrote to memory of 2080 2116 cmd.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d45d4d784123c3061ee72ee15013609475ab5c0a1900a911e7073ac53f12e0ac.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d45d4d784123c3061ee72ee15013609475ab5c0a1900a911e7073ac53f12e0ac.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:112 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lKhhpQ3tH5.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3044
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2400
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1992
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1320
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2080
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat"15⤵PID:2616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2064
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"17⤵PID:1416
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2328
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"19⤵PID:1356
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:872
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"21⤵PID:2932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2776
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"23⤵PID:2044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1752
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52146eeeeb23af3b1e097de2bc9953ec1
SHA1018afef5475003877085a503435555ee72b70305
SHA2562c467e08da50402079314b722abbb21839e434792e1b572f2771266b65072488
SHA512b6b7e475c24f5b73e4fbe935c7f984bb95e55f58dfd1d21f1d2442893bd6aecac4dbaaa7eb76126c8210e9ada7b107570de644b166cf8c7cd658431fac7c197b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cf64ff796bd209268ba4893a6101bdb7
SHA12e611d2da967d20dbb3f424f2669353bbce31a9d
SHA2561ae9978023a656fa279fc727f8e1244af47d3b3d7bc7031bfbed421b406edeb0
SHA5127924ada9a3080dc1a9898d6da2efaa5c70460a9312d3bc419e97d3469f144b422afa6c0f69e697d39a101e793127931ed96d35725569990f5a38c2ea555975e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5db95ea1cbe71d049d40e3e94ba6ef426
SHA1716fe15398b854b85e77eee238f63bca9dd16dba
SHA25623103c4f7b46170fafb30da62b65fcfbe3137cf23897d000cd066c2061390952
SHA5125f9f3eccfa6f4dd7aa5018892db8d70192d26fe713aa314ef0396ba65bd50ab5d8dffb95eb628564e3b6af999ce4ee9b53a4a343320638151a2a1a4a6b6a63de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5041836d4014c7ffbbefbd55fda41da9a
SHA1982adbcbfb2ee3b0767a79fc442d553d88cff64b
SHA25604fb8f500376b422848bf05e817cc2573833c199810259bf6ecda93b370c75ee
SHA5129644864c656be1d8c9f8e02424ea794fb736e06bf0bb729b26de54140e83d97b8ea0d0b05cf9f1d09859a57983eb0e2a026016ac32da5baffcf4850f59e72d8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59aed58c1c3699bfdf1882072ee5d0836
SHA1a410a5220ac42fb5a665e07971716a8f11acbee3
SHA256f2e1c1073a3e13ab6f79b23db0ea65b282004cb7b60423dbcd91146ea88e1c5e
SHA51256761b1318e76d768ead272ecfd7ea091da51e8b385244b8ce9e5d15c15b737220a6ee6124cb31e6c13fc5454a92f4c5db7ac77ebab912fba564b425f917e386
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e7db77a7418a62ac51ffb892da72de3
SHA11ff83567a2b4c1a518b1651b5cfb6a89e960e91d
SHA256736881fca31dde8fbdc78a199d9520e95c787fc1028a8459ac924d7c3a139b28
SHA512826572f0b25d98b00c5bb3f1db808df87a7768c6e7ce7a6f8cb312705a3fcb34fbcf50a1ef6477e61f8decec6ab7d2611a96b525839c2af5b3e83d4d88bdb1b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e8ed03e3142bc50d7a1d57370dff6ba7
SHA1b0d73c74d3fc50ff96109c1179e7bb482af5894f
SHA2569d5edae9029cf850ecd25cddaa8fb7bde6c4b7c2583fb3fc55afeac6d5a4c886
SHA51207b60b223ce78527715cb197b29ac47f90c07a11e9b8df15a78f68817e2c175db91e66716bccbd5cce3f9962eb591167c92aa4d83ea9d9d6f8a44b2d54ff3199
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57c009ef20a045a556cd41593f66b399d
SHA1f78715d464d49f97f831bfe23f1d2403c807b34a
SHA2567429fabb268a4221d402103ae23cab3f2b0a8bb7369980f639075b508aae4cbf
SHA512d050bf64189037da73fa69929cfef585b8360dd894ed7e16d2ddf4b2e0ad9930b051fa14f03fb1a686d7339a9916ea0b9c6cc48bc27ba2c3a9d3db890663ef63
-
Filesize
191B
MD523eeb741bf74b1fa7e7de0211c23e90b
SHA11c15eb8b8a6f537f3cd80bf8f44f1a41ece71c8b
SHA256ac6489b3155fdf75ac573eeaf0f0fbf2a39bd72ef841dd67a56b055f77885a9b
SHA512ab70a55be5491c2a4c2181c38eca82f8a1c2b47dc749cdff90e409334fcd2e5fcca21d5a198e4aa6f71a047c020eb96c418cbd7705ef7a231d24a58419399810
-
Filesize
191B
MD59493a4f673dd57ef32037976e1e58c91
SHA170916b8aba597a42751ab1bc8f4101f2622d628f
SHA2565ca647e49c7c2bfd8ab83b0bccd6bf29e67db2558f8ef08a6e0ff82159767f6a
SHA512524b3ab8bb7af3ef93d49da17f9a84b50428ee4e5738e751a827589ea724d8ece0be0eca45ac165c39bd93e2233f7248c40806dd65d873f6f523c5d4f4e26dde
-
Filesize
191B
MD51ad067de1389310c6ae639e1ba607616
SHA1c52cd36842447c77d1f5bf62cfd16ed1359bd6e3
SHA256b5c9699fb9827ffc22f8329e27ddaa28dad3d1c105282176fb1e49eb00a954c1
SHA51286aca427598c53f99f3afa9a687432247f6fea5f4426a068ccd244a5caf1f33fd87da608484635acd14ad76c25abc2c2e02ad2ebf2c28a7084085c633d6dfa05
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
191B
MD530e2070d53619322f07c2b74f31b45c9
SHA180f7ae7039da1cc4f0aeda74c8a893e9b8f3f70c
SHA25611f2ad0dabb4b9e65e734d65ed30669fb39bf04d969d5931fe9dbf33bfa9d295
SHA512568d8acdac89d7c95eb096e0b0f37791694c59aff8690de351fe8b73daa042fef336e495c4d51d4af80bce14059e61b30a8dc1e45a981fe5a41bef398175841d
-
Filesize
191B
MD59e48b9a099d261ffe1e928af42c25a64
SHA1c1273951731f051cd9b91e3c79896549d7b1fa4a
SHA256494e6646d8cd186ce5b6d1168dfc349d77daef5ec9125916322d56b2736b25eb
SHA512e1fd1121baa10df5213c7d522f1c3eef851a66b294a3f8c5436743cefba202e208a7cccf57f85d95eb15d3b94bba61b019c116fe3de19d8940762653140d1da2
-
Filesize
191B
MD5606612879d401e44c2a21b21db21a332
SHA1eb32d734b36f3cb7ffb4a1082d2b872519d524d6
SHA256934677a222432e66a7ab5fce593122057c4a2f03c3a318e407538cf7d2186ee9
SHA5124a5f60af1d09bed5e11db7ecd040720739f2afc0c2689fe0b1d1f99f1c0c8ce625a299ffa4803f27eec6c27ce4361176bfc9fff8c682cb95a08d77f2cca4fcf7
-
Filesize
191B
MD53d2bc1cc17e277813045e4f1774063cf
SHA15db9ed7874b624d13133e9a47c6b57cf10c3f357
SHA25664354c79c93bc47f0925b18d5462773879af294cbe0152159b1c829cdfded518
SHA512f3b2e1b8dea0caa5e93a896754ff2b7a82ac6aa140c19533c80badf0c17e396e6a280ccb3669457363fa5f6ce24656cc73b8bdc77dd4b1a0f2c62022c35095ef
-
Filesize
191B
MD5f9d9c069c7932598712e1b8481a24daf
SHA13cf73d3455779190180cccac4c8d90529835f058
SHA2567ca9ff24bc81610c930413cc865c012ca1a609fd26df5103019ec21e2439179c
SHA512d9d32b2d941f62e090c0472afada61e3987185845c02129499c6f996447a450448bee823e5a3c2830ab2a03e7b3bd9f0d24d83c3ecf3064d6a9fc133f57ce161
-
Filesize
191B
MD5b57f876829564fddb0e733220a57ae7e
SHA126f2ab7ed8305fac31f04c32536d2957a2f115f5
SHA2561ab4bf00613f28639db3fedff2afa30604e266046ab683feeed746b8fb7970d2
SHA512149da49723bf8b4b25e0574640615c3a73c8e85fca68ca0258003abcadd418c32fc7b52859d665cd72fa5342a0cefe40506b2584f7d94abe6b39f64bd7be1b4a
-
Filesize
191B
MD5f9f8d17887b84b60414a1582a85063e4
SHA1146c4a29d1f6842e78616099c8f057bbf5749a8a
SHA2560aa54ba2f24cdc87adabaed796a11b49109435c591a603e566b0b54d15ae6fef
SHA5120c2b972b18daf5a4de30beca3eb815dcd61bfae6a17d140f57286faa38a5fcc7f16ab1fe6f5e21a3cdcf09f5b33d98f154edd3bb2f94c5ef7c11528042b45da1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SIQF3MEKRQN8GZ6QIH6D.temp
Filesize7KB
MD532081768ddc748cb6a6b54d177a28363
SHA149611a96b4a0b771c0caae4edc42e9cb18194ecf
SHA2566d2f18d9a7ab2381e3188a2f1e5c546a605391a96ea61d33b042f79ce80f3789
SHA5124e43dd986f0e1c79ae8e05339a742cd689413a87af3d721af29ded39089a5c4778e0e0cab5662ef182d79816b4584830a1ab41a2f5dba778162baf19196964aa
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478