Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:04
Behavioral task
behavioral1
Sample
JaffaCakes118_53f431a91c58a3f36b6a1fb9c931ec768dbc532ae96ab8c97a915c7921102fcd.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_53f431a91c58a3f36b6a1fb9c931ec768dbc532ae96ab8c97a915c7921102fcd.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_53f431a91c58a3f36b6a1fb9c931ec768dbc532ae96ab8c97a915c7921102fcd.exe
-
Size
1.3MB
-
MD5
99bff74a5dba835a40bcaa394cbc8449
-
SHA1
1b7abded27dff17ad1a9d5d8483eb2de5e4dbc88
-
SHA256
53f431a91c58a3f36b6a1fb9c931ec768dbc532ae96ab8c97a915c7921102fcd
-
SHA512
7329250bf460a8512a9640644bfd9769471422fb014073fb2dfdbe0def607970ad2d450d95baf88dc07a35426aef1fe729ed6a2f829578f67593ef6d6b5d003d
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2512 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2512 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016d69-12.dat dcrat behavioral1/memory/2532-13-0x0000000001020000-0x0000000001130000-memory.dmp dcrat behavioral1/memory/1496-37-0x0000000000FC0000-0x00000000010D0000-memory.dmp dcrat behavioral1/memory/1456-221-0x00000000000A0000-0x00000000001B0000-memory.dmp dcrat behavioral1/memory/2776-281-0x0000000000170000-0x0000000000280000-memory.dmp dcrat behavioral1/memory/640-341-0x0000000001230000-0x0000000001340000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2204 powershell.exe 1960 powershell.exe 2316 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2532 DllCommonsvc.exe 1496 sppsvc.exe 1148 sppsvc.exe 1692 sppsvc.exe 1456 sppsvc.exe 2776 sppsvc.exe 640 sppsvc.exe 2848 sppsvc.exe 1068 sppsvc.exe 2580 sppsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2864 cmd.exe 2864 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 14 raw.githubusercontent.com 21 raw.githubusercontent.com 25 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 10 raw.githubusercontent.com 32 raw.githubusercontent.com 5 raw.githubusercontent.com 17 raw.githubusercontent.com 28 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_53f431a91c58a3f36b6a1fb9c931ec768dbc532ae96ab8c97a915c7921102fcd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2688 schtasks.exe 2748 schtasks.exe 2912 schtasks.exe 3036 schtasks.exe 2816 schtasks.exe 2728 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs
pid Process 1148 sppsvc.exe 1692 sppsvc.exe 1456 sppsvc.exe 2776 sppsvc.exe 640 sppsvc.exe 2848 sppsvc.exe 1068 sppsvc.exe 2580 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2532 DllCommonsvc.exe 2316 powershell.exe 2204 powershell.exe 1960 powershell.exe 1496 sppsvc.exe 1148 sppsvc.exe 1692 sppsvc.exe 1456 sppsvc.exe 2776 sppsvc.exe 640 sppsvc.exe 2848 sppsvc.exe 1068 sppsvc.exe 2580 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2532 DllCommonsvc.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 1496 sppsvc.exe Token: SeDebugPrivilege 1148 sppsvc.exe Token: SeDebugPrivilege 1692 sppsvc.exe Token: SeDebugPrivilege 1456 sppsvc.exe Token: SeDebugPrivilege 2776 sppsvc.exe Token: SeDebugPrivilege 640 sppsvc.exe Token: SeDebugPrivilege 2848 sppsvc.exe Token: SeDebugPrivilege 1068 sppsvc.exe Token: SeDebugPrivilege 2580 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 1760 2188 JaffaCakes118_53f431a91c58a3f36b6a1fb9c931ec768dbc532ae96ab8c97a915c7921102fcd.exe 30 PID 2188 wrote to memory of 1760 2188 JaffaCakes118_53f431a91c58a3f36b6a1fb9c931ec768dbc532ae96ab8c97a915c7921102fcd.exe 30 PID 2188 wrote to memory of 1760 2188 JaffaCakes118_53f431a91c58a3f36b6a1fb9c931ec768dbc532ae96ab8c97a915c7921102fcd.exe 30 PID 2188 wrote to memory of 1760 2188 JaffaCakes118_53f431a91c58a3f36b6a1fb9c931ec768dbc532ae96ab8c97a915c7921102fcd.exe 30 PID 1760 wrote to memory of 2864 1760 WScript.exe 32 PID 1760 wrote to memory of 2864 1760 WScript.exe 32 PID 1760 wrote to memory of 2864 1760 WScript.exe 32 PID 1760 wrote to memory of 2864 1760 WScript.exe 32 PID 2864 wrote to memory of 2532 2864 cmd.exe 34 PID 2864 wrote to memory of 2532 2864 cmd.exe 34 PID 2864 wrote to memory of 2532 2864 cmd.exe 34 PID 2864 wrote to memory of 2532 2864 cmd.exe 34 PID 2532 wrote to memory of 2204 2532 DllCommonsvc.exe 42 PID 2532 wrote to memory of 2204 2532 DllCommonsvc.exe 42 PID 2532 wrote to memory of 2204 2532 DllCommonsvc.exe 42 PID 2532 wrote to memory of 2316 2532 DllCommonsvc.exe 43 PID 2532 wrote to memory of 2316 2532 DllCommonsvc.exe 43 PID 2532 wrote to memory of 2316 2532 DllCommonsvc.exe 43 PID 2532 wrote to memory of 1960 2532 DllCommonsvc.exe 46 PID 2532 wrote to memory of 1960 2532 DllCommonsvc.exe 46 PID 2532 wrote to memory of 1960 2532 DllCommonsvc.exe 46 PID 2532 wrote to memory of 1496 2532 DllCommonsvc.exe 48 PID 2532 wrote to memory of 1496 2532 DllCommonsvc.exe 48 PID 2532 wrote to memory of 1496 2532 DllCommonsvc.exe 48 PID 2532 wrote to memory of 1496 2532 DllCommonsvc.exe 48 PID 2532 wrote to memory of 1496 2532 DllCommonsvc.exe 48 PID 1496 wrote to memory of 968 1496 sppsvc.exe 49 PID 1496 wrote to memory of 968 1496 sppsvc.exe 49 PID 1496 wrote to memory of 968 1496 sppsvc.exe 49 PID 968 wrote to memory of 2860 968 cmd.exe 51 PID 968 wrote to memory of 2860 968 cmd.exe 51 PID 968 wrote to memory of 2860 968 cmd.exe 51 PID 968 wrote to memory of 1148 968 cmd.exe 52 PID 968 wrote to memory of 1148 968 cmd.exe 52 PID 968 wrote to memory of 1148 968 cmd.exe 52 PID 968 wrote to memory of 1148 968 cmd.exe 52 PID 968 wrote to memory of 1148 968 cmd.exe 52 PID 1148 wrote to memory of 2084 1148 sppsvc.exe 53 PID 1148 wrote to memory of 2084 1148 sppsvc.exe 53 PID 1148 wrote to memory of 2084 1148 sppsvc.exe 53 PID 2084 wrote to memory of 2956 2084 cmd.exe 55 PID 2084 wrote to memory of 2956 2084 cmd.exe 55 PID 2084 wrote to memory of 2956 2084 cmd.exe 55 PID 2084 wrote to memory of 1692 2084 cmd.exe 56 PID 2084 wrote to memory of 1692 2084 cmd.exe 56 PID 2084 wrote to memory of 1692 2084 cmd.exe 56 PID 2084 wrote to memory of 1692 2084 cmd.exe 56 PID 2084 wrote to memory of 1692 2084 cmd.exe 56 PID 1692 wrote to memory of 2972 1692 sppsvc.exe 57 PID 1692 wrote to memory of 2972 1692 sppsvc.exe 57 PID 1692 wrote to memory of 2972 1692 sppsvc.exe 57 PID 2972 wrote to memory of 2368 2972 cmd.exe 59 PID 2972 wrote to memory of 2368 2972 cmd.exe 59 PID 2972 wrote to memory of 2368 2972 cmd.exe 59 PID 2972 wrote to memory of 1456 2972 cmd.exe 60 PID 2972 wrote to memory of 1456 2972 cmd.exe 60 PID 2972 wrote to memory of 1456 2972 cmd.exe 60 PID 2972 wrote to memory of 1456 2972 cmd.exe 60 PID 2972 wrote to memory of 1456 2972 cmd.exe 60 PID 1456 wrote to memory of 992 1456 sppsvc.exe 61 PID 1456 wrote to memory of 992 1456 sppsvc.exe 61 PID 1456 wrote to memory of 992 1456 sppsvc.exe 61 PID 992 wrote to memory of 236 992 cmd.exe 63 PID 992 wrote to memory of 236 992 cmd.exe 63 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53f431a91c58a3f36b6a1fb9c931ec768dbc532ae96ab8c97a915c7921102fcd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53f431a91c58a3f36b6a1fb9c931ec768dbc532ae96ab8c97a915c7921102fcd.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2860
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2956
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2368
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:236
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"14⤵PID:1560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2312
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"16⤵PID:1528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2820
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"18⤵PID:1396
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2376
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat"20⤵PID:896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1688
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat"22⤵PID:1080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54a129e46261b38177af092adf510941a
SHA120619ea52812714746ba25168f89f0be5da07072
SHA2561912225be02258fc06fb203850af9fb1dc4f7353503a78472a904e3ffa432ac2
SHA512ec341d4c8fec164bc674a113fc0d8a1885a2163f9bf50bb729a156bb51d4ad5865c690813b94c371c63ed76d9e2c9dad9cd42a910d92de8807a0d876aa155df1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d63aa2703769c7d753b9c45d1da63e5c
SHA13b2f21153da623c254b8d3d3b52782ae4202fd45
SHA256e4cf11d853743d7a004f2fb87bfd116c2ace4d647c416071fbba59730ef00c30
SHA51279a4b6c22611375d1bf6ef182c5bdffd346078c550f4a2fac744a2e6d7bc047e76f6c9840d023b2393c889b751c7958ec6f7248af22c53913eb05e9912e24a8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ba98e5a9c06a1eaf76f0ee465d10d62d
SHA12af27a3745e075f3d55471cf1b7ef7430e09b865
SHA256e236a7f5f2f792b6ca1ac7036647a2c9cefdc329c8fece8746d8614ef9f69164
SHA512a9bd8dbb3f1b1834011c88eef929c8cf41bfa4121b4cf248888f6310866cce9fd648554385064dd615faece2cfbfe8285e6aab56ed117eb48e8f8c6049bea76a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54ae474d92291b56f7837bbed96fd8978
SHA18cc10763495cd5e6a98bcd4e8b1eed05753804ca
SHA256001479ffd6a098f98ec498c72e48a0f3067a31c4fa18bc1e8ecf698af91b23cb
SHA512d7adc983f810da1634aff3ddf89736fea77cc26dfc9d10a494d1e62ffe8cb601729de7ad3135535c634d536bbb295ca8763511ce34ef9da9dceef9de697d2257
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58b234dcd7979fbe32885714b43d4205a
SHA1b8bc9ca6af5d692a654e45f0c002d4816102ec5e
SHA256101b190a6ad5b3b2de58f649203ee097ac9a6e58d2b8e3fed6bc8d9c6404fdf5
SHA512715ac44ba32e8e7022edf55c7a2b26400b04f2fdb436685a3f5ede33ae729418879864f8bb68b24748919d64412524ac08ebcfe2546e5c6bc81bbdc56e763fcb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51e3ffabc7a894f96e61dd3d8b49845cc
SHA175db9dfa10338cebff839388f5db2aac77f7d4e9
SHA2563045b25591e3df0d723ef9cfc2b1ed3080cbb9b66d2893b8f7978869246835ac
SHA512307714f7883b99dce47a3a17e6f483f40d1bb875eb735132189569a1344751ed02a9256e2b4ca93a06f855af4126e4c2cb41ce7d151ec69434b4569a914113f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0ce764b86c4ef624e3184741aa12358
SHA19447cabaeb9ba1c6dba2f0f7339bfe9a3c9e6eb3
SHA256a07fb695fafabe6a924a1b611fec171ee7dcf5a72642ccd3889c6ce75bda8b1a
SHA512f94f9d0189aafb57b23eb689e512c53deb2032377541f59737a221e641793aa2356dfc291494d58cb793a655ccba2f580562d936f605f5b7746f323bba3e3b4c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51edc401d2c7b028485ea38930f2e95e0
SHA1f0b3a01be40d8266429f60786c80c74e4bf559ac
SHA256d4d2bab6edfb913d105344c8b110ecabf70c3cbef0bbcccb64b6885474f141d7
SHA512cc67ead407654f003ff2695cb79c692a4f89c1f258093ce473f675de6638a06447ae3b2a901126347e27d439ceb3985c2dc07cb411631387a4082d230950003f
-
Filesize
243B
MD532f93847293fcd76ef9b45d90f7fa19b
SHA169760dcfc29a3a56bb74f23937e7a9945f9bb78a
SHA2561451ea9b9d88cec3244baf48390fdc1761a16ca1e0c8e5603f217fb48a4b34c2
SHA512a8eb6a8461f82735a324c1acdb296603c1df543fc7abedec3c370c8e9a971b6a698d03ff049973f8f6823746d2fb533c32f325bc1477c185df87486fd5e4b73d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
243B
MD510ffa30806159453a48a34837657e8d8
SHA12455fd65e759d16b11d6b88fd23ec9ef6a5bcdbf
SHA256957f5b343595c392f481b66139a1389e524c76a538f270a026d9da56cda225b8
SHA512f4e171b2e00e66b6e90bac654616ff0018f1ad71f31a25cf9060177a0edb1b95c0e6a564ec7d0cd04e75f3245d3c7c0346f7eabc148c17ad47fc9e33ab90bb11
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
243B
MD56cb0f046323ffdea671d65803212ba41
SHA1cf4a725e46be06049aeb3d87524d2df20ae9d523
SHA256cae811758905550e8db20548b404fa04435a3bf3bdf5d264cc430d4310032e43
SHA512a89358fc1ff6972890c03defb64462ae428a163f18da6cedf81fd4ed17b6d0ccea15a883d38c899d88ae9852a323c46b6ab3cffd453f0931ad7c1b01409497e3
-
Filesize
243B
MD5bdae7581012fe1d885efdadfa70d1005
SHA1b1447bf4cafbeac1785715727c3048360803ec4b
SHA256594499f140dabb928e89480bafe049ec0b8c2e971e044e2a5ef042b1ddad021c
SHA512a8f31148068b352eaee8d4c5a48a782987ed92caf346aa8855a9cdf5713c2e483bae6ee550c107edcf10e17d9bf7df8bc3e3846ce8cc6898cc4a9af60186c4f3
-
Filesize
243B
MD5051fbd3ba4e5a89ef01dbb33df823950
SHA1a836e31a1a59fe892e94741d14982af2a1605997
SHA256bcdc2f10d2347d8ff15e5402aa63395d7dc0eeed7248abacf200c6d0f502b6dc
SHA5124ba58f92276d7459844a186d134ab9616a49ef56e8807f9b1ca14b51fe0ffa9561c077812132625d889d792b8544c36235b89ff534b1befcb325bdb1b8227bae
-
Filesize
243B
MD54d87f3dea0193c890b11ede1aa058480
SHA1c907592dc5780c8f02b1cd8412027f228aa7a5c4
SHA25649cc25ece368f465960877699293c9f8adde8fe2788592d19a3418768457c7bb
SHA5127bcbcafb7605cd8c4f08e304d1352cf02b1cff2bb9a6a4458935e6d9229fe6973da9e5492c389f1cd1918213edc380825ae5eec5db03c3c6228b977cfd49c4a3
-
Filesize
243B
MD54f0f531453672116640e549ece2ec3d6
SHA1793fec1ff3407f9976a761d86a7a1336d8e3eafc
SHA2563f7192f59e0974c3f7b15395cc43be3060496e3c91dfd5fe8ef3efce96572257
SHA512c8171fc921545e795dfb1da792369049ea4213c07e5ff3a758da862727ec1631217848accea0b8873dd5797d316214639c1291e619f981ba9178498df8554aad
-
Filesize
243B
MD59be06c05a3c0738617f1a522e910c332
SHA163b2d37d47c7e3febf714e2ba8a2e4a1e45438b7
SHA256b8b06cc0984baab16c8b3da3d988667e3994b2e55ccb315bf5b20524bf80c824
SHA512f4e477d1b3f0085d8b15cfff3ab926522a224bfca07893a0f7a2c36abfabfc7b8e386f1e68cc0386770bc5618897e11b557df0709a728c7853c751c009922c2d
-
Filesize
243B
MD51cb9e556ecfdfc27d4653a011d871465
SHA123e0cc2d3afa7eb602c7d8f035d3dc3e2c14676e
SHA2562b7cdd5b8c7d3494e6802358cf46637bf380e92bbf14c31bab37fe27b2a58a7f
SHA512118d0cfa5b65dcc6e78baa93604bff93477fd9165e2348130b61633d6a77461fdcfae19e19ef5b3a928c2410642e9c14095cc90c1e9932bc29eab2a4ed24ac96
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d2a2cb01d088183e3a6aea66b4f652cd
SHA12f0e97c3a72af42c840747a86d4cf411589c6568
SHA256f55063a2e3c3a0fd2f8106e735578aa98f277ad44987db66fca45031d5f55077
SHA5124e29199936d237b0a7eeb7d11cd00cf721ba7d20b1da2f07b6431a61971160b9276cf592283df39439c5b1d69b0e767a1db9f69c606608a22b4f79869afb0335
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478