Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:18
Behavioral task
behavioral1
Sample
JaffaCakes118_54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3.exe
-
Size
1.3MB
-
MD5
70a3a73630cf2f1b5e514f82589f7c69
-
SHA1
b8eb8c8de83226ef6411be5423cf1bc610b33a11
-
SHA256
54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3
-
SHA512
183d92e6c120b610f95cfc3b025b0664c7f713b88e3aaff1fec916783566e5c579be9dd2dc504e56d2662a554731ca3a1def0647057df1cbd3bef4955292c895
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2504 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2504 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2504 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2504 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2504 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2504 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2504 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2504 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2504 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2504 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2504 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2504 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0009000000016009-9.dat dcrat behavioral1/memory/2668-13-0x0000000000EA0000-0x0000000000FB0000-memory.dmp dcrat behavioral1/memory/1516-37-0x0000000000C30000-0x0000000000D40000-memory.dmp dcrat behavioral1/memory/2208-118-0x0000000000E20000-0x0000000000F30000-memory.dmp dcrat behavioral1/memory/1944-179-0x00000000002B0000-0x00000000003C0000-memory.dmp dcrat behavioral1/memory/840-240-0x0000000001130000-0x0000000001240000-memory.dmp dcrat behavioral1/memory/2616-360-0x0000000001240000-0x0000000001350000-memory.dmp dcrat behavioral1/memory/2460-480-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat behavioral1/memory/1652-540-0x0000000000E00000-0x0000000000F10000-memory.dmp dcrat behavioral1/memory/1032-600-0x0000000001390000-0x00000000014A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2400 powershell.exe 1632 powershell.exe 2568 powershell.exe 1628 powershell.exe 1500 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2668 DllCommonsvc.exe 1516 Idle.exe 2208 Idle.exe 1944 Idle.exe 840 Idle.exe 348 Idle.exe 2616 Idle.exe 2240 Idle.exe 2460 Idle.exe 1652 Idle.exe 1032 Idle.exe 2432 Idle.exe 1508 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 2640 cmd.exe 2640 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 20 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 34 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 37 raw.githubusercontent.com 12 raw.githubusercontent.com 30 raw.githubusercontent.com 41 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\conhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2864 schtasks.exe 1532 schtasks.exe 1656 schtasks.exe 2252 schtasks.exe 2220 schtasks.exe 2800 schtasks.exe 2828 schtasks.exe 2984 schtasks.exe 2496 schtasks.exe 1700 schtasks.exe 2628 schtasks.exe 2404 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2668 DllCommonsvc.exe 2668 DllCommonsvc.exe 2668 DllCommonsvc.exe 1632 powershell.exe 1628 powershell.exe 2568 powershell.exe 1500 powershell.exe 2400 powershell.exe 1516 Idle.exe 2208 Idle.exe 1944 Idle.exe 840 Idle.exe 348 Idle.exe 2616 Idle.exe 2240 Idle.exe 2460 Idle.exe 1652 Idle.exe 1032 Idle.exe 2432 Idle.exe 1508 Idle.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2668 DllCommonsvc.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 1516 Idle.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 2208 Idle.exe Token: SeDebugPrivilege 1944 Idle.exe Token: SeDebugPrivilege 840 Idle.exe Token: SeDebugPrivilege 348 Idle.exe Token: SeDebugPrivilege 2616 Idle.exe Token: SeDebugPrivilege 2240 Idle.exe Token: SeDebugPrivilege 2460 Idle.exe Token: SeDebugPrivilege 1652 Idle.exe Token: SeDebugPrivilege 1032 Idle.exe Token: SeDebugPrivilege 2432 Idle.exe Token: SeDebugPrivilege 1508 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2664 2688 JaffaCakes118_54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3.exe 30 PID 2688 wrote to memory of 2664 2688 JaffaCakes118_54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3.exe 30 PID 2688 wrote to memory of 2664 2688 JaffaCakes118_54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3.exe 30 PID 2688 wrote to memory of 2664 2688 JaffaCakes118_54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3.exe 30 PID 2664 wrote to memory of 2640 2664 WScript.exe 31 PID 2664 wrote to memory of 2640 2664 WScript.exe 31 PID 2664 wrote to memory of 2640 2664 WScript.exe 31 PID 2664 wrote to memory of 2640 2664 WScript.exe 31 PID 2640 wrote to memory of 2668 2640 cmd.exe 33 PID 2640 wrote to memory of 2668 2640 cmd.exe 33 PID 2640 wrote to memory of 2668 2640 cmd.exe 33 PID 2640 wrote to memory of 2668 2640 cmd.exe 33 PID 2668 wrote to memory of 2400 2668 DllCommonsvc.exe 47 PID 2668 wrote to memory of 2400 2668 DllCommonsvc.exe 47 PID 2668 wrote to memory of 2400 2668 DllCommonsvc.exe 47 PID 2668 wrote to memory of 1632 2668 DllCommonsvc.exe 48 PID 2668 wrote to memory of 1632 2668 DllCommonsvc.exe 48 PID 2668 wrote to memory of 1632 2668 DllCommonsvc.exe 48 PID 2668 wrote to memory of 1500 2668 DllCommonsvc.exe 49 PID 2668 wrote to memory of 1500 2668 DllCommonsvc.exe 49 PID 2668 wrote to memory of 1500 2668 DllCommonsvc.exe 49 PID 2668 wrote to memory of 1628 2668 DllCommonsvc.exe 50 PID 2668 wrote to memory of 1628 2668 DllCommonsvc.exe 50 PID 2668 wrote to memory of 1628 2668 DllCommonsvc.exe 50 PID 2668 wrote to memory of 2568 2668 DllCommonsvc.exe 52 PID 2668 wrote to memory of 2568 2668 DllCommonsvc.exe 52 PID 2668 wrote to memory of 2568 2668 DllCommonsvc.exe 52 PID 2668 wrote to memory of 1516 2668 DllCommonsvc.exe 57 PID 2668 wrote to memory of 1516 2668 DllCommonsvc.exe 57 PID 2668 wrote to memory of 1516 2668 DllCommonsvc.exe 57 PID 1516 wrote to memory of 2468 1516 Idle.exe 58 PID 1516 wrote to memory of 2468 1516 Idle.exe 58 PID 1516 wrote to memory of 2468 1516 Idle.exe 58 PID 2468 wrote to memory of 1804 2468 cmd.exe 60 PID 2468 wrote to memory of 1804 2468 cmd.exe 60 PID 2468 wrote to memory of 1804 2468 cmd.exe 60 PID 2468 wrote to memory of 2208 2468 cmd.exe 61 PID 2468 wrote to memory of 2208 2468 cmd.exe 61 PID 2468 wrote to memory of 2208 2468 cmd.exe 61 PID 2208 wrote to memory of 1452 2208 Idle.exe 62 PID 2208 wrote to memory of 1452 2208 Idle.exe 62 PID 2208 wrote to memory of 1452 2208 Idle.exe 62 PID 1452 wrote to memory of 1300 1452 cmd.exe 64 PID 1452 wrote to memory of 1300 1452 cmd.exe 64 PID 1452 wrote to memory of 1300 1452 cmd.exe 64 PID 1452 wrote to memory of 1944 1452 cmd.exe 65 PID 1452 wrote to memory of 1944 1452 cmd.exe 65 PID 1452 wrote to memory of 1944 1452 cmd.exe 65 PID 1944 wrote to memory of 1740 1944 Idle.exe 66 PID 1944 wrote to memory of 1740 1944 Idle.exe 66 PID 1944 wrote to memory of 1740 1944 Idle.exe 66 PID 1740 wrote to memory of 2280 1740 cmd.exe 68 PID 1740 wrote to memory of 2280 1740 cmd.exe 68 PID 1740 wrote to memory of 2280 1740 cmd.exe 68 PID 1740 wrote to memory of 840 1740 cmd.exe 69 PID 1740 wrote to memory of 840 1740 cmd.exe 69 PID 1740 wrote to memory of 840 1740 cmd.exe 69 PID 840 wrote to memory of 2340 840 Idle.exe 70 PID 840 wrote to memory of 2340 840 Idle.exe 70 PID 840 wrote to memory of 2340 840 Idle.exe 70 PID 2340 wrote to memory of 2408 2340 cmd.exe 72 PID 2340 wrote to memory of 2408 2340 cmd.exe 72 PID 2340 wrote to memory of 2408 2340 cmd.exe 72 PID 2340 wrote to memory of 348 2340 cmd.exe 73 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1804
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1300
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2280
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2408
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"14⤵PID:2404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1088
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"16⤵PID:1312
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1988
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"18⤵PID:2464
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:612
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"20⤵PID:2524
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2856
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"22⤵PID:2860
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3068
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat"24⤵PID:2312
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1524
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat"26⤵PID:296
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1216
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD575b98d5489cefaf7dc344cf0d98f10a2
SHA1594b20eed4ffb3ba9ac8e52c00a49dc69ae385b7
SHA256a0fbd7b4424370aa0a70e269cb7a6da3797d257ddc459510390358b754556650
SHA512a87bd9db39c293adf20964f86df0bfb04014fd219f1c277018869b33b8b7ebeb5997835ad2bffe3f7c6836bf4e0bf8bd54bfcfe7b2368a6390308b7904852743
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5942c98a3a5cc7b2cfdde6bcfc93db327
SHA1669feaca51bea35bbe049ff17b2715535332a000
SHA256bc6f149202b9c125a3a3e9d0758ad29c0a4fe1844b2c97a6d571d33281fe370e
SHA512619293c4646bb4a8faa286b0e8672c92ebbe19e9196581546b0e9f9c7ee6d871e7604b0964eafa6dc064535dfdfc55b44d2913125db3294b59a86b78c4a9bb6b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD582649cb339625359a942f047f81c4eb2
SHA151fec31b45308afb24e10ff89e9a5a2067b9648d
SHA25658535ba53b9a8dc4a831631dfb5545b02c3549bc4b831265fccd54b251038045
SHA5129d342cd9c137abb214fd19ecd44fa702834523d61c374e656f813d01b59a4f3e8760d2e0420e595af340a45428cad1b0c714cdb21b1edda39b78d1e31a47766c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50fe7ce3b468c6246a0987da4b5a15c8c
SHA1940b4d13ba2a553b9cb975f1e63c6657cda6080e
SHA2565e2632c3e851aa15c5a17bbf8156bca6633a961840d372bc1b0f080c74cabebb
SHA5122e3ac919848d9bd1c3ef2883eb5e21916dafea1cf1de962c3826624e7862089405e291cf9374060312f1a8e2315505083f3f2b94ab03638ca34978df248fc6c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5596c80937251ee438573654ec6f5384b
SHA15e73e2651051757257717ff30746ef9c290b0468
SHA25604ba6b9f36012b5e636f8e04b9f2e228f9ee268fa4ad9561b1e4d3dec34ab6c0
SHA5125b6e56d193a45a63856181d5beaeec06e979a37303dc6882e2b4f40cd9261226e878b881be67cfa6227a0d7d6215c7f985f953fca01c9be7022f33a9557c9dab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53945b3799a24c154764e84930bf8526c
SHA1a97d324d45f26981809152ec96b783b65ee2d733
SHA256ca702fc8390d748a0a32ae056efee40b5129ead8cab28590799e595d01d52994
SHA5121fb2a92f0de218687cac8477df89c6a1623df33e31497955d61ffbf28b1b31db22a65de10ab29fe2d8048e270cd0c2ac24e6d03e4502086dd2a236f638e41942
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56186e2aacb0dfca8a5e9fab31acc44a9
SHA1cdd69589da9f7976f9ba7323768b29dd26b0f246
SHA256856fa7cc9fd0208979acfd195737f7842bd849914d829dcda7fa54725ff1ef7d
SHA5120b004b525a5196411965e5fd1cf5d899051cfd597fdcb0c21de931d60e85dff5de9a6c5139b3181fac0454e20b379c2f09cbd93555a09e98a2409c4906a93887
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55e4123a59d1e1d0999796e99c416d124
SHA101541e9289fac24d4a7b4146d24ee1bd6e76bf9a
SHA25602e96c9c5cf9a5d23046deb3f54369e69bcdee435bc9d6137a8869c3ac15b2fd
SHA512a5fb61d73fec4ee5dbf181c28778ddf23ce7209a1fc70c5dcd6489b66d61931c0d9dd5a5550c3e269cea36dd25225ff841b6229552161f581db097bde97e5878
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD579db483d90f26ce19bc7f0452753749a
SHA15ca7ff844cb4fa38f9a3336c948904fa04abf9b2
SHA256de89a1c579de9bcff0d3c289e4c4fd28c8125b677f521ab7166fc3ee12476301
SHA512ff6e05acc35dd8542c29bc38de76614b569b463eac302bc3eee0fd8055947187862f1631db933fbc818c85749aa177e6fffad5c16371a01a9ac1f8fda914b2d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e8fce7e8b5fdc829f45d54c475c53b88
SHA1b787bd535d9a8c7cb14c4d360d26bf361097e927
SHA2560dc9d556553c95039037ebb39b209ed77f969d05c9b9b12db81b1adaac424b42
SHA512654ecd5a2a5cbf73058c5c03f6a548427c7304d96ed68770ae218559b2d6c2ed00cdca390000e462e0f1a8ef106d71679b97fc40f1cbaa73c020d6ac72286d5d
-
Filesize
191B
MD5096009fcc2ebf40b18d2f7a019565e91
SHA1d0331025855ec7fd4ea4688230a486a7ae0998bd
SHA256005a5e673fe19e7df85d7b6eb2168f9333b63e3557d42b269e66167aa026acc4
SHA51207fd8ea2230e95e911116fec19a86923774832e5f1e685209d2766fa2bb0bd7ad9a7c94c08bddc42376def157da009b1dba7f4a2c8e0dfa8be6715cb821cca62
-
Filesize
191B
MD50311c9040508e0cc29d162e1e54728e4
SHA15c3f296038a02ae833bf7a38467620d13ce2d853
SHA256e250487ed76b36e6eb26ab5331bf77ff9ec6bad4eb1008d6d090541d94b43042
SHA51249587c1cb7ddcb25e2925c5792c0f8cfe07290f5a528ab5397a2e0336e1dd11ed095fca10f449e71850ae925c3187cceb732e4d03a86b7a5a9127046decde41d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
191B
MD59233eb8d55a6186095b88f8bb8d0c9ab
SHA1bcfc13b4bcf4adacbf87602b13b40177128b00c5
SHA25635c16493734d28eba93c9f6a3efcad8cd8709fdadc971c73043fe5744d96216e
SHA5126462cf80d0ef9fe9037984c34fb689f5f0ef643dc1fa558f1d17fc435c04586f5072dd3d0d14fb46042aeb52bccd82b4f19f3899372a89d0815707abcbe7a94d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
191B
MD5cb61d760d13fe097954dd1db5a3c35b1
SHA1fd8ec6174594d3b85481243ac3023dabff7fd0f3
SHA256c294654815d9f0b04fb180697a391e81bb2f7a3ae3b69d755d0437e6f2614bf2
SHA512cbf262cdfcede7934d9c8dae0f7bbb48858a1883c199cd091755697075a025ccf5143698766ba2b46a5cdb6ebe9509bdcdafb7f19bd0ae0d229f7b5628a336da
-
Filesize
191B
MD5b29efd9297532b586e4354f574333e9c
SHA1cbc1ae135654c1ec54e3ad1b11f334f485d4b05d
SHA25662a00a8c507c765472ce4341dcf3c81164649ce4b2f82075c068ecfebe671834
SHA5126a6c086b25f9df7a8e58ecf11dcf4e24dd93c394912d7235b4756a3587abce08ecdbf6751a16b0c9ada1b868d83194813940e09d8a15bcabb8185aa38ea448de
-
Filesize
191B
MD5455eccc20c55530e7e06eb26f49397f0
SHA113ce19a73c8590c7e72ab46540eae400cfb12429
SHA2560a1527f85b52625e94a966b9db53febaffa333ed38b1e1febdd7ba29ffe1f716
SHA512e1489870187e7ea6c25634784ab3902e60b4d3885a33947f6f473dd97006ba62e53e680d0bf97d93e1c5eba6f988610366c371fa4e137b6a9d43158fb24e449a
-
Filesize
191B
MD55ab248cc7bc6bfe0029e30904fb439f6
SHA1f37f650bc35838f20b0e4cc173b044ae63aca1c0
SHA256e39ce2f8cfc11dab5e47696e628e475e57e0d7a5f019f44bbbb4b9255ae0a9d8
SHA5129415e7a3ad0ca5947d2fb0c7594a7989fcf1aa9c84ad3316c170e7c9ddfe20206e2d22a6e0cef1c88532e6875d3befa453f25a3245f602cdf7fe2de52a9086ea
-
Filesize
191B
MD5b0d2dd58c1523533730dade6f547e540
SHA19a0ed61c7868034e9ffd9caef0a35730a16f93b1
SHA256ad42566c195bd766ebdac02800b886175d95e6d91a796623ed787d973579f2c7
SHA512cd08c10f5b9f83efdd0a3dab7a1598e5a183bebf9c18bbf7bc1348978389eeb81e6d337649e6b750727ad9e4f24e0d818490cd70f487f1a1d7d5434fd773d4a1
-
Filesize
191B
MD5179321e0c1862d61c62092cd4abd1cf4
SHA160262fc58c50992bbb22745b0fa8680ea7d12c6c
SHA256cceb229fd5c30b4677fa4e0aa2cf874619cc362a5ede1f08ac0881f2584245b5
SHA512abdda75afb29e3c8b990b0e5880ef22a579d8b70d085e02d828ca1a36b00f1870a8673793ac58f263c1e3daa85e2ce7b2f9cf962832bd92e618bf8bb926ffe20
-
Filesize
191B
MD5651ed574c929e5825934bade510044f9
SHA1f869ff066c39bd760008b67ded3cc325337dc79f
SHA2564c171474b5bce9e394fd1a9e1833ba0e9249ee7fdb1d319f7f2b2065b65c2726
SHA51220645d4a834fec235004b5650fe530b5147156b893a231b435bac1a317a250346aafedab36fe613070fae750034a543463928afa88c71d60927b7b942c93e62b
-
Filesize
191B
MD55293c91e402ec1b1efd77bf584842bbe
SHA1d5b5e8bd6f1dfc05b99b0ed4f2408acdce0d510b
SHA2560b8b1919641df09c601c2c122dee71ae5aeee6193baa336fdc6aebd239ed9102
SHA5128005c8f2da8d24f4f4555d3d9348b053000c1aba76570d6c61630106a4d1cf52c4efa3ce77de00481849c7373a75368628ccc8dafd6b61deef059afda2e78eed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54b2af6dbd1b2bb5c7174d5b9325f752c
SHA179a879d9e825722e91836d7fbca15b42b03ef968
SHA256888117a97f7b244ac71743f53292b835c419bb4f6adb050437d1a8616e1c6b94
SHA51262084611a3b2bde591648c2a647e123179a512a106c38638181d6a294b52415bfe3a0e9a9daa422883a777fd9e9fb52524ecc5fd23df4538189b336ec30bb44e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394