Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:35
Behavioral task
behavioral1
Sample
JaffaCakes118_3695249a5b66ea66c3bb26500d9cda42d019272c067c8aec807b28b557159a80.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_3695249a5b66ea66c3bb26500d9cda42d019272c067c8aec807b28b557159a80.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_3695249a5b66ea66c3bb26500d9cda42d019272c067c8aec807b28b557159a80.exe
-
Size
1.3MB
-
MD5
bdf1836d55e8d69dd1ade0d54f78420a
-
SHA1
6b43f821e5ab201f45cdd17824543fba22d9db6b
-
SHA256
3695249a5b66ea66c3bb26500d9cda42d019272c067c8aec807b28b557159a80
-
SHA512
b6a7e3a9e312220c445e8f821377b8f6513db1358adfc4518445db1d82513eeb8c6a81749d0ac57adba805474cd15040506a5880acb032b84d059fd59f4eb592
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2432 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2432 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2432 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2432 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2432 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2432 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 2432 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2432 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2432 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2432 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2432 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2432 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000014510-11.dat dcrat behavioral1/memory/2728-13-0x0000000000110000-0x0000000000220000-memory.dmp dcrat behavioral1/memory/1888-58-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/2864-235-0x00000000001E0000-0x00000000002F0000-memory.dmp dcrat behavioral1/memory/2156-296-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/2824-356-0x00000000010F0000-0x0000000001200000-memory.dmp dcrat behavioral1/memory/2112-416-0x0000000001290000-0x00000000013A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1924 powershell.exe 2656 powershell.exe 2864 powershell.exe 1676 powershell.exe 1592 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2728 DllCommonsvc.exe 1888 lsm.exe 1904 lsm.exe 572 lsm.exe 2864 lsm.exe 2156 lsm.exe 2824 lsm.exe 2112 lsm.exe 1976 lsm.exe 1196 lsm.exe 1940 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2424 cmd.exe 2424 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 18 raw.githubusercontent.com 22 raw.githubusercontent.com 28 raw.githubusercontent.com 31 raw.githubusercontent.com 9 raw.githubusercontent.com 15 raw.githubusercontent.com 12 raw.githubusercontent.com 25 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\101b941d020240 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3695249a5b66ea66c3bb26500d9cda42d019272c067c8aec807b28b557159a80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1400 schtasks.exe 1804 schtasks.exe 2516 schtasks.exe 2588 schtasks.exe 3044 schtasks.exe 2000 schtasks.exe 536 schtasks.exe 572 schtasks.exe 584 schtasks.exe 2824 schtasks.exe 2856 schtasks.exe 2828 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2728 DllCommonsvc.exe 2728 DllCommonsvc.exe 2728 DllCommonsvc.exe 1676 powershell.exe 2656 powershell.exe 1592 powershell.exe 1924 powershell.exe 2864 powershell.exe 1888 lsm.exe 1904 lsm.exe 572 lsm.exe 2864 lsm.exe 2156 lsm.exe 2824 lsm.exe 2112 lsm.exe 1976 lsm.exe 1196 lsm.exe 1940 lsm.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2728 DllCommonsvc.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 1888 lsm.exe Token: SeDebugPrivilege 1904 lsm.exe Token: SeDebugPrivilege 572 lsm.exe Token: SeDebugPrivilege 2864 lsm.exe Token: SeDebugPrivilege 2156 lsm.exe Token: SeDebugPrivilege 2824 lsm.exe Token: SeDebugPrivilege 2112 lsm.exe Token: SeDebugPrivilege 1976 lsm.exe Token: SeDebugPrivilege 1196 lsm.exe Token: SeDebugPrivilege 1940 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2548 2736 JaffaCakes118_3695249a5b66ea66c3bb26500d9cda42d019272c067c8aec807b28b557159a80.exe 28 PID 2736 wrote to memory of 2548 2736 JaffaCakes118_3695249a5b66ea66c3bb26500d9cda42d019272c067c8aec807b28b557159a80.exe 28 PID 2736 wrote to memory of 2548 2736 JaffaCakes118_3695249a5b66ea66c3bb26500d9cda42d019272c067c8aec807b28b557159a80.exe 28 PID 2736 wrote to memory of 2548 2736 JaffaCakes118_3695249a5b66ea66c3bb26500d9cda42d019272c067c8aec807b28b557159a80.exe 28 PID 2548 wrote to memory of 2424 2548 WScript.exe 29 PID 2548 wrote to memory of 2424 2548 WScript.exe 29 PID 2548 wrote to memory of 2424 2548 WScript.exe 29 PID 2548 wrote to memory of 2424 2548 WScript.exe 29 PID 2424 wrote to memory of 2728 2424 cmd.exe 31 PID 2424 wrote to memory of 2728 2424 cmd.exe 31 PID 2424 wrote to memory of 2728 2424 cmd.exe 31 PID 2424 wrote to memory of 2728 2424 cmd.exe 31 PID 2728 wrote to memory of 1924 2728 DllCommonsvc.exe 45 PID 2728 wrote to memory of 1924 2728 DllCommonsvc.exe 45 PID 2728 wrote to memory of 1924 2728 DllCommonsvc.exe 45 PID 2728 wrote to memory of 1676 2728 DllCommonsvc.exe 46 PID 2728 wrote to memory of 1676 2728 DllCommonsvc.exe 46 PID 2728 wrote to memory of 1676 2728 DllCommonsvc.exe 46 PID 2728 wrote to memory of 2656 2728 DllCommonsvc.exe 47 PID 2728 wrote to memory of 2656 2728 DllCommonsvc.exe 47 PID 2728 wrote to memory of 2656 2728 DllCommonsvc.exe 47 PID 2728 wrote to memory of 2864 2728 DllCommonsvc.exe 48 PID 2728 wrote to memory of 2864 2728 DllCommonsvc.exe 48 PID 2728 wrote to memory of 2864 2728 DllCommonsvc.exe 48 PID 2728 wrote to memory of 1592 2728 DllCommonsvc.exe 50 PID 2728 wrote to memory of 1592 2728 DllCommonsvc.exe 50 PID 2728 wrote to memory of 1592 2728 DllCommonsvc.exe 50 PID 2728 wrote to memory of 1888 2728 DllCommonsvc.exe 55 PID 2728 wrote to memory of 1888 2728 DllCommonsvc.exe 55 PID 2728 wrote to memory of 1888 2728 DllCommonsvc.exe 55 PID 1888 wrote to memory of 2020 1888 lsm.exe 56 PID 1888 wrote to memory of 2020 1888 lsm.exe 56 PID 1888 wrote to memory of 2020 1888 lsm.exe 56 PID 2020 wrote to memory of 1104 2020 cmd.exe 58 PID 2020 wrote to memory of 1104 2020 cmd.exe 58 PID 2020 wrote to memory of 1104 2020 cmd.exe 58 PID 2020 wrote to memory of 1904 2020 cmd.exe 59 PID 2020 wrote to memory of 1904 2020 cmd.exe 59 PID 2020 wrote to memory of 1904 2020 cmd.exe 59 PID 1904 wrote to memory of 320 1904 lsm.exe 62 PID 1904 wrote to memory of 320 1904 lsm.exe 62 PID 1904 wrote to memory of 320 1904 lsm.exe 62 PID 320 wrote to memory of 2168 320 cmd.exe 64 PID 320 wrote to memory of 2168 320 cmd.exe 64 PID 320 wrote to memory of 2168 320 cmd.exe 64 PID 320 wrote to memory of 572 320 cmd.exe 65 PID 320 wrote to memory of 572 320 cmd.exe 65 PID 320 wrote to memory of 572 320 cmd.exe 65 PID 572 wrote to memory of 1640 572 lsm.exe 66 PID 572 wrote to memory of 1640 572 lsm.exe 66 PID 572 wrote to memory of 1640 572 lsm.exe 66 PID 1640 wrote to memory of 2648 1640 cmd.exe 68 PID 1640 wrote to memory of 2648 1640 cmd.exe 68 PID 1640 wrote to memory of 2648 1640 cmd.exe 68 PID 1640 wrote to memory of 2864 1640 cmd.exe 69 PID 1640 wrote to memory of 2864 1640 cmd.exe 69 PID 1640 wrote to memory of 2864 1640 cmd.exe 69 PID 2864 wrote to memory of 632 2864 lsm.exe 70 PID 2864 wrote to memory of 632 2864 lsm.exe 70 PID 2864 wrote to memory of 632 2864 lsm.exe 70 PID 632 wrote to memory of 2200 632 cmd.exe 72 PID 632 wrote to memory of 2200 632 cmd.exe 72 PID 632 wrote to memory of 2200 632 cmd.exe 72 PID 632 wrote to memory of 2156 632 cmd.exe 73 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3695249a5b66ea66c3bb26500d9cda42d019272c067c8aec807b28b557159a80.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3695249a5b66ea66c3bb26500d9cda42d019272c067c8aec807b28b557159a80.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1104
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2168
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2648
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2200
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"14⤵PID:1780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2588
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"16⤵PID:2828
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1840
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"18⤵PID:1468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2500
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"20⤵PID:2616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2704
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"22⤵PID:2444
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1448
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"24⤵PID:1984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f47093b12971afdedfabc73c2dbb1f4
SHA12fa1aac4abbe6ea55b4fdb71da5b01774ff75dad
SHA25693dea7f176087da791e4fba8ee8b453820aac19a46a7c84d3c1b853660092c23
SHA5121b7284a5a83a184267da9bfecc532096715bc14727b0d8332ed6747588f48c494923f27754781fd9b91c948c96d43762f38bf7c47aeef91c06c5c36b91ebea7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a172bdce45adfcbebf067e800eacb2c
SHA1e78577ac83d85a762e46e53b98aa93efa8623771
SHA256d796e2517407f2f7adb5eeabf6ca56e87ae682c791aa32b4cdb69f1e2dd9f00a
SHA512f05dd7c4b086ff4f1b0cdf0fd98bbd42ad688ac7b76286f369876977eef76bc5e3545cd3e52f193731348d230082c96f54c14113734226f051f95a3d16a54a11
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ac06d8bfd1829c69d9f26693f783590e
SHA15f0a78968056bb2a122b8085378bd79dc4804f03
SHA256cec80b7a0a04fec709c49a1252e329e3df9f9ca6c376cfd25a6724b6c6ff9551
SHA512471d04dc57c2bb1e87c9363585bda4a2e90252e6cdc6f11d604f644b7705c28a94d59046e1b602b8a2f8e94ec1d47748e6e896457ad98b64066a2275682b33cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a464d9f13966ee1245d8031790d4970c
SHA11d090c5c07e114e326aa71d985e9d31677a0d16e
SHA256ea3a39d29926c80b93c10169df8971a2c9ca478933025b8213e5c59e5c78209e
SHA5122949448dfdbe771007121ff0a6589dc856187b0dff7ef336534917953b896f6db0d1c45ba1ea50c7b83431ef544360c5c6bd1a1ba8cd128427dc9d786bc37e41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50437fed401880d8a92b292a0c88424eb
SHA1ef4bf1f4572300c33e37c4a4775b821f65ba9555
SHA2566fb2c0d99def370e6f7ac3ea09ce3bb3273d2fcb8211b952cf0e56cf52b1ac00
SHA512a4c04beefe47260be80aaf1d337d8ae016d42aeecf0849292c98284b97c9f55dc6b7f641ba230c4d50a46b8f7abf13d43ecd94214290c48679005092af37b165
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5348275e939ea04e6cbf1117aced99047
SHA1c8f24a76566bb0e3314a9f432de8e1b0e4f7dc12
SHA256649a893ddce6d220e43e6c7c12d1fecd8bdb0942a4655c28b33a90bf2ee41d2e
SHA51294cfb5a4e863952170bd49e988ef03c935b9a6100c5f87886951dd64d62ac3f9dd0b7413c7e8cac0ca26b3236f33556958c3fa74332f9e93fe1f6511dfc6413a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53861565c8008da40cfc2274fba092bcf
SHA1da88539a35c1ea8483a5a1e5437fc93a76dc752d
SHA256361d1d85503d7e15ef35f303958de530991796d6817ceae8f0877a7fc1416085
SHA5129e1477f337b9086971b4332e6536e8129949fcb58560af1a98410a10a1fef15ef7fd7f0d05b4c0fe346fe0f77e70ceca7e8b78604178323d5aa4596fa0ba0ac1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ba39771646c25fe67d293933266c1d5
SHA11ed3324270a41a4f55a65c0365aa9dcbea81f89a
SHA256966426ff26f91b2d4c094dd154eb2877bd385f86b36178eeafba7ba16b07ba6c
SHA51273d6fb3f6df8767e96afc36ca5f6c60660f0ffac8e04f3325d7266c4d0a3a4c42413959f892c23ea5bbb50b5b4195c42f360b2c2690c4d832fff76a77d7b0159
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD512a8cf7dab4a10e4bc1ae8934aca20e4
SHA151849bd20a64bf788cf765e25fd6c06f21095ed9
SHA256c73961df43c842ab1ad0383e4f368ffef935fcbc9953aa5e7b9627b9b0684a9a
SHA512e55985541bac8e1dd10ad045115b9dab3b8957820d844474ca7c4b2b0284fd2a403db71b502e04772431661fec4209f702071b7695fba0b28d76bca4b0fc5199
-
Filesize
224B
MD54c23191cb2723aaac8c1b3915403596e
SHA1d77393a6fcfde0f98cb868e347b4ea45410659a5
SHA256e2f6079d179912fd256fb84bed1f4ca73c1e6a7fadc8e365534706d2c1c396cd
SHA512827a042fd064e04594aa310e9756db775a39c2dda7b0f204e491dc91d7f4a4c65fc88aa45ca06167413690ac5e647804408af8a3a86de682562268a7a76de2cc
-
Filesize
224B
MD57fb230a90b1063d9891071105e44ecf3
SHA12e65ef3074090ad929d657b936d9855c0fd3f8ad
SHA256d545be5fa00bfe31fe6c68d73639055cb98084cd0e3d9c09396d54a28a6cfa43
SHA5120587ba6f9c3b23725c822c4678e51ed38143b4dbafdb51f64336728407ee6a2220528b39e175acc16c89490e353f8ed5bf6de6c582d084a469bf2bc44c0c0f8e
-
Filesize
224B
MD59d2712aa07f058eb08ec24795422a9e1
SHA1097134d5498fb5fd79c109f8eb64564fe51b6282
SHA256ff059dafd8b4852c3726059b0bfa18170cc76d939fcb77b51f6018b12013a936
SHA5121105f666c22000e5d4f099b9f3ab07ec3d8d9eeefbb63ee2872b4b6b4f7d617ee36f698573f794bf7c17f6e7811fde3ac094d66500c73d51f4be4536e71af549
-
Filesize
224B
MD53da8f10510db7f5c12d71adbbd4e3b56
SHA1f0687fc956bc1b8a21c2de172e7924b38baac90c
SHA256555bca69ec1d4cf4b5120fa460617b1e389f7c2d6e2e30228f06e96115cd7182
SHA512bb3a7a9b7fd54063d45c4730e225d37b4b830216a9b1a0004eb8436a31296e62e7d26d201f2c347e665c11351f21d24021f8426cd43ebbcfc534f76b31195669
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
224B
MD5a77d7ad4be6f61d4a4bb8a08c621b6f8
SHA145160a4e6043cf2089b65b7f883e2ac6b19e706a
SHA256165a4e298fc38d40e3a3a88ea288e4e3181dca76fc31b20baec5e039bc975e03
SHA512823d541007439b2ac1e56346e2908521ea8110412793f4176af1d5fe80c1029fc3e2ae38ebd1e9af6831953e8faf7a123bdb9c0dd7ee759d0cf3f36e48314fe4
-
Filesize
224B
MD547699a6e2d620d8dea2dc1aed3cdf4b0
SHA1b48f092d5b2d201769a7906b075d9ec99321c5b6
SHA256a6eda2fe83df0d87bfeac90022fa6cee3058b9b189fa4604f94ab8ca2c410a66
SHA51253ce1ac8b5a45fdcc816d26182e8dddb0b41eff04536fb3193369d55ea0fc2ba8fded72a6c71cff4fcce2615834aadf86c7c78445faad59f3f58802a64006948
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
224B
MD58374ddb745d5cb681cb46fd895c5d7bb
SHA164ccdc2f5aca33217cc729cd700c0a519696358f
SHA256373e0437605efbdf6634694a2fb1a564cdc56d712fe5cbceaf1217ec71f7f1f4
SHA5129095797fa23803e03ee73152ae69902f794b45c6afab761b7d484d5958ebccc56a1acdc4349f377bf75db80d99adfcda45fff7cce0262b0d7a92734050058876
-
Filesize
224B
MD57cf3ccfdec7dbf43b2ed6e0d06a00f23
SHA10c3341190a974932f1409aefb306ca693c2b3d6d
SHA2566898045bbe492b69f160b003a559918a464f20891f076b378b972f23f4e5fdec
SHA5121f900e97026da4730745b2dfc0d344662098b723d5ca5631c3ee982e65a3a5fb2b31a7eef2a16d2203fcb0f9b8b4f7d60656af7d133afe2f821d801da11e1781
-
Filesize
224B
MD58987af2bd5cff84a2e2c0b79ac594025
SHA1a548a152ce985e799ae3c104d7b221561bded484
SHA256cdc44eb53c6245b6a8f0d95e3eb327280d7a8b5c1c7c54b1ad6ca357a3dbed6c
SHA512b3903454dcf676faddb09eb47aa9adbec3b73cb439c2d9ad4fd1eed4d5b06044f136b8a1832229d90b62b2012b3a80f843570ddc74304e1df6d017445c4ef65d
-
Filesize
224B
MD52796ba88e9f32791da706702c3c23d26
SHA18544037a122c1357c5be760930c316e6f63a8100
SHA256f5fee2feb6caa17a2439d311c347f0cf3b437ed8aaf407ba9987fa04dabeb5f4
SHA512593dd2483d3c9ccb5bf46ac27584dd04c9a71722f6a3a7d4bb6830c3e59c06eed0fe83035c666e8e5a2b815b037c8d890580c9e8adbbf736946889ffb1e6ac40
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9R7A5I9UUNRR3WKV04RT.temp
Filesize7KB
MD59a7103055d57d0b65fa8918cf6935d57
SHA183e7f901cc3ffae59cdb6cc2f5e5dffd127301c7
SHA256ffdf28d0fb7086168bc8977aeb961ed1fc38d1120881b0246c589453978540b5
SHA512f86bd312317b25223e8d7f8cc3252186bc3188c5f0539c3af77797e9a94af0c4641a2562070aa293ec9cafdafd5afe44d818400c812631077838a78b4b7c64ce
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394