Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:41
Behavioral task
behavioral1
Sample
JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe
-
Size
1.3MB
-
MD5
42651fff742c0a5e04db2916591aff08
-
SHA1
5574495235b5fcc6ec78b50b6adb9238c0aaca99
-
SHA256
87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a
-
SHA512
4c7ebc12c746fec891fb6a69d0f73ec8c1769b7abfb5bbd30bf6d1a0a9453fd217b89ea5dd79f8d141206f31025bf2cf269d5f0585c0152517c1241938b128a1
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2724 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0006000000018634-9.dat dcrat behavioral1/memory/2456-13-0x0000000000320000-0x0000000000430000-memory.dmp dcrat behavioral1/memory/1308-30-0x0000000000E40000-0x0000000000F50000-memory.dmp dcrat behavioral1/memory/2260-110-0x0000000000FE0000-0x00000000010F0000-memory.dmp dcrat behavioral1/memory/608-289-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/2664-467-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat behavioral1/memory/1268-527-0x0000000001160000-0x0000000001270000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1520 powershell.exe 1108 powershell.exe 768 powershell.exe 876 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2456 DllCommonsvc.exe 1308 Idle.exe 2260 Idle.exe 1136 Idle.exe 1088 Idle.exe 608 Idle.exe 1952 Idle.exe 2800 Idle.exe 2664 Idle.exe 1268 Idle.exe 2092 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 2364 cmd.exe 2364 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 5 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com 31 raw.githubusercontent.com 4 raw.githubusercontent.com 18 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\es-ES\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2212 schtasks.exe 2052 schtasks.exe 2164 schtasks.exe 2796 schtasks.exe 2068 schtasks.exe 2636 schtasks.exe 2692 schtasks.exe 2660 schtasks.exe 2604 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2456 DllCommonsvc.exe 2456 DllCommonsvc.exe 2456 DllCommonsvc.exe 768 powershell.exe 1520 powershell.exe 876 powershell.exe 1108 powershell.exe 1308 Idle.exe 2260 Idle.exe 1136 Idle.exe 1088 Idle.exe 608 Idle.exe 1952 Idle.exe 2800 Idle.exe 2664 Idle.exe 1268 Idle.exe 2092 Idle.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2456 DllCommonsvc.exe Token: SeDebugPrivilege 1308 Idle.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 2260 Idle.exe Token: SeDebugPrivilege 1136 Idle.exe Token: SeDebugPrivilege 1088 Idle.exe Token: SeDebugPrivilege 608 Idle.exe Token: SeDebugPrivilege 1952 Idle.exe Token: SeDebugPrivilege 2800 Idle.exe Token: SeDebugPrivilege 2664 Idle.exe Token: SeDebugPrivilege 1268 Idle.exe Token: SeDebugPrivilege 2092 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1244 wrote to memory of 2524 1244 JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe 30 PID 1244 wrote to memory of 2524 1244 JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe 30 PID 1244 wrote to memory of 2524 1244 JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe 30 PID 1244 wrote to memory of 2524 1244 JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe 30 PID 2524 wrote to memory of 2364 2524 WScript.exe 31 PID 2524 wrote to memory of 2364 2524 WScript.exe 31 PID 2524 wrote to memory of 2364 2524 WScript.exe 31 PID 2524 wrote to memory of 2364 2524 WScript.exe 31 PID 2364 wrote to memory of 2456 2364 cmd.exe 33 PID 2364 wrote to memory of 2456 2364 cmd.exe 33 PID 2364 wrote to memory of 2456 2364 cmd.exe 33 PID 2364 wrote to memory of 2456 2364 cmd.exe 33 PID 2456 wrote to memory of 1520 2456 DllCommonsvc.exe 44 PID 2456 wrote to memory of 1520 2456 DllCommonsvc.exe 44 PID 2456 wrote to memory of 1520 2456 DllCommonsvc.exe 44 PID 2456 wrote to memory of 876 2456 DllCommonsvc.exe 45 PID 2456 wrote to memory of 876 2456 DllCommonsvc.exe 45 PID 2456 wrote to memory of 876 2456 DllCommonsvc.exe 45 PID 2456 wrote to memory of 768 2456 DllCommonsvc.exe 46 PID 2456 wrote to memory of 768 2456 DllCommonsvc.exe 46 PID 2456 wrote to memory of 768 2456 DllCommonsvc.exe 46 PID 2456 wrote to memory of 1108 2456 DllCommonsvc.exe 47 PID 2456 wrote to memory of 1108 2456 DllCommonsvc.exe 47 PID 2456 wrote to memory of 1108 2456 DllCommonsvc.exe 47 PID 2456 wrote to memory of 1308 2456 DllCommonsvc.exe 52 PID 2456 wrote to memory of 1308 2456 DllCommonsvc.exe 52 PID 2456 wrote to memory of 1308 2456 DllCommonsvc.exe 52 PID 1308 wrote to memory of 3040 1308 Idle.exe 54 PID 1308 wrote to memory of 3040 1308 Idle.exe 54 PID 1308 wrote to memory of 3040 1308 Idle.exe 54 PID 3040 wrote to memory of 1744 3040 cmd.exe 56 PID 3040 wrote to memory of 1744 3040 cmd.exe 56 PID 3040 wrote to memory of 1744 3040 cmd.exe 56 PID 3040 wrote to memory of 2260 3040 cmd.exe 57 PID 3040 wrote to memory of 2260 3040 cmd.exe 57 PID 3040 wrote to memory of 2260 3040 cmd.exe 57 PID 2260 wrote to memory of 1808 2260 Idle.exe 58 PID 2260 wrote to memory of 1808 2260 Idle.exe 58 PID 2260 wrote to memory of 1808 2260 Idle.exe 58 PID 1808 wrote to memory of 2244 1808 cmd.exe 60 PID 1808 wrote to memory of 2244 1808 cmd.exe 60 PID 1808 wrote to memory of 2244 1808 cmd.exe 60 PID 1808 wrote to memory of 1136 1808 cmd.exe 61 PID 1808 wrote to memory of 1136 1808 cmd.exe 61 PID 1808 wrote to memory of 1136 1808 cmd.exe 61 PID 1136 wrote to memory of 1108 1136 Idle.exe 62 PID 1136 wrote to memory of 1108 1136 Idle.exe 62 PID 1136 wrote to memory of 1108 1136 Idle.exe 62 PID 1108 wrote to memory of 1588 1108 cmd.exe 64 PID 1108 wrote to memory of 1588 1108 cmd.exe 64 PID 1108 wrote to memory of 1588 1108 cmd.exe 64 PID 1108 wrote to memory of 1088 1108 cmd.exe 65 PID 1108 wrote to memory of 1088 1108 cmd.exe 65 PID 1108 wrote to memory of 1088 1108 cmd.exe 65 PID 1088 wrote to memory of 2196 1088 Idle.exe 66 PID 1088 wrote to memory of 2196 1088 Idle.exe 66 PID 1088 wrote to memory of 2196 1088 Idle.exe 66 PID 2196 wrote to memory of 2892 2196 cmd.exe 68 PID 2196 wrote to memory of 2892 2196 cmd.exe 68 PID 2196 wrote to memory of 2892 2196 cmd.exe 68 PID 2196 wrote to memory of 608 2196 cmd.exe 69 PID 2196 wrote to memory of 608 2196 cmd.exe 69 PID 2196 wrote to memory of 608 2196 cmd.exe 69 PID 608 wrote to memory of 2712 608 Idle.exe 70 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1744
-
-
C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2244
-
-
C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1588
-
-
C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2892
-
-
C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"14⤵PID:2712
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2680
-
-
C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Yw7RONjUI.bat"16⤵PID:2348
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2884
-
-
C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat"18⤵PID:856
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2444
-
-
C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"20⤵PID:2384
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2516
-
-
C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"22⤵PID:2604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2640
-
-
C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55932831170355fb6cfc8548321e98a44
SHA1bc9e81a29c3686e1d64d1d2b9f980a98673a29a7
SHA256003e7d3e81ea83debe8a9d56fee5ceeeac7890c379bcfe2a60d90b4b6af56fef
SHA512733e6d263c4005e3e35800a29cfcae42bb22382443f0db3acda8391f092a80b94d54e6e388d37a7f1cacec98eeb6036575da4766a1ea8c6adbb3afb525b486d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d057fba3204a610f9bd6ec2936428bb2
SHA1cb0440eab1258526a21475951dfa14315f33c2f4
SHA2563b0e69c1bf5313739ed3a691e70224b51d1157deb512d12acd9158713e29fbca
SHA512a1d3e0dd9ac67bd20e03e16c2d4ec78631bf37309d3504692104aac48b0cf6cfc037a1c626f41203b4198ac7ec00899266a54ed4304b4bf0e00c3ec2cd0db6e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD552c6d63e4644c1548523abd23b758cd9
SHA1a248b3697e63204bd7d52d5e9f8a7fb0f7d83796
SHA256a948f72b63c170bd530eb1637a8317d352cf98cfce47e69fbbc10bf82b5f5060
SHA512bce2fe6620787cde32167ed4a686847ecbbea4c4adc922321661d4922844418f7e6cf85ea79e287531f316021e68f2d789b49fbe6de9318a21719bb095064f82
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55b761f93f434c04a17eaecb1869ab80c
SHA18faa9402104231e022139d26af441f47b745b1ad
SHA256b5121cf7286db7b61b7bc6c6ffa6f150ec34f0cd949fe7d59b4f5a01c119e229
SHA512fa924dc26f6d0036477c12495e3e3642c5b8fc04690d137d37872f996f8f889cb132ebad08cba2d35f3dc39bd4f1afa10fbf392cdc9081f1b1d28b5cbea52e04
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59820019c6bc197e7ec2c18d69db2b844
SHA12667637aee71c2e87c5654684175af278f337cdf
SHA256f6e302b17fd05fb379b46896cbe5d9b8bc4cb53eaeda5235033dfec4adb0b31e
SHA512df1a214f9995b12382f5345226d001ab501b6f983598d2ac189d8669d4527ff357c731bd33bcb5f0b6f12f8ff43aa8b66253855236b6dd730a6bbdd5bba15ad8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD517720254d4cc14c5d19b72ea42bec243
SHA1ef2ebb3a21ec47350f5dab517322c9fc2ec5d2bf
SHA256bc15865d3f074ba56f4e89d369b17fd8c3fc00addc5f0557c5758c135168ba04
SHA512d8aa9880ddf733185c0678b2721b4d7418c5a2ac127738ac37e1a7154e16bfc68a4ab7a0e7e25d5a15f4fef6553ad008c2c94ec74e8604df02ff124276fe7774
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57f912c7bf75d595b2233b52ec9a99d99
SHA1a51fd5131942a0df49b12debe7fcdd46963065e8
SHA256bf1fac09e1661d81527e0608e91e7cf45e2e1fbd406ac6105b3a11d358db6adc
SHA51215fb08a596725682ac12d42dc94f9ffc1e17be454626f795ee03303a0f671b1fd4acad223d8909ecb3f2b273d6dacaad148806aea1735e94b07a6b38f82475b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53a97d5878a8d775b5e69cef1439d17c3
SHA1bf06e5b35012c3dc4a6d11f5c6b083e8f2c41bd8
SHA2561d2a3ac9652e1f6334edb33b054e79a277d80887e498db66a8af03dceb7bac4b
SHA512dd4077da4bd4448ad120a8b4c86354bbb0d609e3c8f1a582d0b16afbcdc551636254619ea100a2c1162e67af180d87bebe92294f16c31e43d09962662a5497bc
-
Filesize
218B
MD58868111a59bb53fb963fb969869693d1
SHA1aae6e224f746662433948a47b2f0018549314dd4
SHA256942374d7ff19ffdf4fb519b8c01c06cafaebe28cd8ca2979d4e0008c8aeb8f9f
SHA512cd06cba521f5d685939a32d647362a2db48f8e290670113a49889ed18d4ce4f19e7cd95a37674c87f1d5f48cce1b2bb45e562fd969a0f8efcebe95790ba606bc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
218B
MD5d32b7b7df687bd5221963eaf4c8a53ee
SHA14135f8f0cf52b0b244e2c87e1bff1df421137454
SHA25619782f5591ef9b860e2582e2670e3983fde749801637bd70af45e79f12ba2e26
SHA5127f341cac7225c8cd424a1a82e793bad6897a7f6f5b7dc4b664f9f212f90223df76eab76d3f28f9e7a5992fd8ee03e620245e0598d5bef99198f3f60dff8c9068
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
218B
MD5cfbb1dff44218d7003f713af42dfb7fd
SHA1c1f4df50c54ba0d79ba2c02d45b3683b379f93d6
SHA2564dac92662cb175e8f38be7f05fd122f499a95fee48fde1cd9e8c1f98e5624002
SHA51247bc20efbc615c17be491d37aa0ce0ae71388ab47810791b0decd15f5c4df544252553f4542f4a6eba9375b2aa2803c89396a519da28c5110ce80770430a092e
-
Filesize
218B
MD5515244b44b2b079c54f69ad2bd526e84
SHA1bc0824e5b018596bf298ca92e8dae8affb6f5924
SHA25685ea7d9bf9677eb8bd92d22688a384d52b4bfa78ac08beb9dfb10c0b01881797
SHA512d85f02888649e96c0b10c5ce0f3d9bc1aeef39cffab5b2d71b0833d18e0d3888647a2baf546211f680e14c8d864108a6316464ba221b6c427239477468f04592
-
Filesize
218B
MD51e13809a275c68e5bcb76e52b6500e36
SHA1eb533cc43ca89731a27a4fda2be9e75306c3b098
SHA2564433f222f22499041b18e240cc3c5b966b946246c7671fea573792abebe696c6
SHA512e257a0d673da6286ffd0973683be0982e2ebe817c0c7f9dda5edf0fe62ead6d891366368d1232178d3b60121ae7c87deb16f3950e82fd7688550e24ca224ccc8
-
Filesize
218B
MD534162f2ac35cf3e6e14181ab38b6990c
SHA10f691270d82619fda6743ba395ac880638acbdb9
SHA2565a84f4d4221835321c9620a18e4507ca742e3198ffb88e5abfecc76af86ee526
SHA512de89c33e4d68fd0cdc1df1fefdcb8e5dc0481d046c9efdd2f01319ddafc1f5fa7715499e218376698e3aafc1c3e7b29b8c1a3a04ba133fb555ab5fb2205501ab
-
Filesize
218B
MD560e0b78489e1571ec23140398ff27733
SHA1d6c298323529fa7e0d13ddabf465f3f10c05fe4f
SHA256bd545bb4f14f7ed29a080aaabf56ce43ef06f2c6ac0b434b19496fa4a41384a2
SHA5126ae71192584a989c9a0cd0a3fe856d82ad1a5c3d60be90ac97d96a6f71e9655c943e1ee284fb1f1f79172594512c77dcd195e8d9e988bbe48b8f637274ba0820
-
Filesize
218B
MD5fec41ffc032c7b9fbf665b6d35ec8a1d
SHA1e7d71bf5b9bd6389d1adc8300150fbbb0aa9ae1c
SHA256fc6afbe932f8a633a7ff9dac276b4a69919a80f3317325aed22798114cb3f03b
SHA512e560524890e15be53e277045234fad7f4030f7bb68ae6cb6ccd4020778cb5b10dd9f58046fb4371a1f626a333cb90b26edcbcb430d55bc81aa609d3cd5453371
-
Filesize
218B
MD512473da65655b7fbbc15eb58402493c3
SHA136c43ca673efe1882ce6437d2f3e7941f07b8cb0
SHA2567d2ba3b8385a72b51dcd41c1bdc206eb36e0adb510ffc1b1f9692b5c28ed0eef
SHA512ea630c3aa5632715d498e17ce5cbd7259fcac67305fb7eb253b057fe2ced123bca44e8206dfcec4dbee1904d1806df7cb08ea66c60b5480ab7bd44781ada2a10
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53ca792df1c5f50656ddffc8f535943aa
SHA1c231aca9e11c492160a9916bba39ceab80f8eb07
SHA256bcc81b253b6050df20f14700f545c4a8b00097dfb9eefd0755c4a5f28ee2f947
SHA512b23f8b48c5eb5e0ae087fc8383137ae77c2791078df0ed1eaf2a878d6355d98a749d252a1ff7334ef9668884e4497c5f5438a745155a4680bb43f9ebaae9c38e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394