Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:48
Behavioral task
behavioral1
Sample
JaffaCakes118_49a4781e6ef37dba7b2fdd3f5ccefbb54768c9423c3b68e7fcc3de55806ef9e0.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_49a4781e6ef37dba7b2fdd3f5ccefbb54768c9423c3b68e7fcc3de55806ef9e0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_49a4781e6ef37dba7b2fdd3f5ccefbb54768c9423c3b68e7fcc3de55806ef9e0.exe
-
Size
1.3MB
-
MD5
7e7e0230eecd94e3f3bd1cb11519fc7f
-
SHA1
5c7c9c010f0e8d7b2e55813d5b0e1d2bbff6a299
-
SHA256
49a4781e6ef37dba7b2fdd3f5ccefbb54768c9423c3b68e7fcc3de55806ef9e0
-
SHA512
eb72fb90bb47e7d4b1d6411c1d5cd095802ebd3a89e5e03bd491ee9a33ef501c5e239c604997638dbde5b06f6162453e0f20ea9208e763c4ccc2c577aa9563c0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2840 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2840 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2840 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2840 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2840 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2840 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2840 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2840 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2840 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000015d81-9.dat dcrat behavioral1/memory/2228-13-0x0000000001190000-0x00000000012A0000-memory.dmp dcrat behavioral1/memory/608-52-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/1984-112-0x0000000000990000-0x0000000000AA0000-memory.dmp dcrat behavioral1/memory/748-232-0x0000000000A80000-0x0000000000B90000-memory.dmp dcrat behavioral1/memory/556-293-0x0000000001160000-0x0000000001270000-memory.dmp dcrat behavioral1/memory/2940-413-0x0000000001200000-0x0000000001310000-memory.dmp dcrat behavioral1/memory/2088-533-0x0000000001390000-0x00000000014A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1512 powershell.exe 2756 powershell.exe 2012 powershell.exe 748 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2228 DllCommonsvc.exe 608 dwm.exe 1984 dwm.exe 2688 dwm.exe 748 dwm.exe 556 dwm.exe 2748 dwm.exe 2940 dwm.exe 2228 dwm.exe 2088 dwm.exe -
Loads dropped DLL 2 IoCs
pid Process 2928 cmd.exe 2928 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 5 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 26 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\es-ES\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_49a4781e6ef37dba7b2fdd3f5ccefbb54768c9423c3b68e7fcc3de55806ef9e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2748 schtasks.exe 2752 schtasks.exe 2240 schtasks.exe 2980 schtasks.exe 1196 schtasks.exe 2532 schtasks.exe 1760 schtasks.exe 2128 schtasks.exe 2688 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2228 DllCommonsvc.exe 2756 powershell.exe 2012 powershell.exe 748 powershell.exe 1512 powershell.exe 608 dwm.exe 1984 dwm.exe 2688 dwm.exe 748 dwm.exe 556 dwm.exe 2748 dwm.exe 2940 dwm.exe 2228 dwm.exe 2088 dwm.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2228 DllCommonsvc.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 748 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 608 dwm.exe Token: SeDebugPrivilege 1984 dwm.exe Token: SeDebugPrivilege 2688 dwm.exe Token: SeDebugPrivilege 748 dwm.exe Token: SeDebugPrivilege 556 dwm.exe Token: SeDebugPrivilege 2748 dwm.exe Token: SeDebugPrivilege 2940 dwm.exe Token: SeDebugPrivilege 2228 dwm.exe Token: SeDebugPrivilege 2088 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2596 wrote to memory of 2308 2596 JaffaCakes118_49a4781e6ef37dba7b2fdd3f5ccefbb54768c9423c3b68e7fcc3de55806ef9e0.exe 30 PID 2596 wrote to memory of 2308 2596 JaffaCakes118_49a4781e6ef37dba7b2fdd3f5ccefbb54768c9423c3b68e7fcc3de55806ef9e0.exe 30 PID 2596 wrote to memory of 2308 2596 JaffaCakes118_49a4781e6ef37dba7b2fdd3f5ccefbb54768c9423c3b68e7fcc3de55806ef9e0.exe 30 PID 2596 wrote to memory of 2308 2596 JaffaCakes118_49a4781e6ef37dba7b2fdd3f5ccefbb54768c9423c3b68e7fcc3de55806ef9e0.exe 30 PID 2308 wrote to memory of 2928 2308 WScript.exe 31 PID 2308 wrote to memory of 2928 2308 WScript.exe 31 PID 2308 wrote to memory of 2928 2308 WScript.exe 31 PID 2308 wrote to memory of 2928 2308 WScript.exe 31 PID 2928 wrote to memory of 2228 2928 cmd.exe 33 PID 2928 wrote to memory of 2228 2928 cmd.exe 33 PID 2928 wrote to memory of 2228 2928 cmd.exe 33 PID 2928 wrote to memory of 2228 2928 cmd.exe 33 PID 2228 wrote to memory of 748 2228 DllCommonsvc.exe 44 PID 2228 wrote to memory of 748 2228 DllCommonsvc.exe 44 PID 2228 wrote to memory of 748 2228 DllCommonsvc.exe 44 PID 2228 wrote to memory of 2756 2228 DllCommonsvc.exe 45 PID 2228 wrote to memory of 2756 2228 DllCommonsvc.exe 45 PID 2228 wrote to memory of 2756 2228 DllCommonsvc.exe 45 PID 2228 wrote to memory of 2012 2228 DllCommonsvc.exe 46 PID 2228 wrote to memory of 2012 2228 DllCommonsvc.exe 46 PID 2228 wrote to memory of 2012 2228 DllCommonsvc.exe 46 PID 2228 wrote to memory of 1512 2228 DllCommonsvc.exe 47 PID 2228 wrote to memory of 1512 2228 DllCommonsvc.exe 47 PID 2228 wrote to memory of 1512 2228 DllCommonsvc.exe 47 PID 2228 wrote to memory of 2764 2228 DllCommonsvc.exe 52 PID 2228 wrote to memory of 2764 2228 DllCommonsvc.exe 52 PID 2228 wrote to memory of 2764 2228 DllCommonsvc.exe 52 PID 2764 wrote to memory of 2368 2764 cmd.exe 54 PID 2764 wrote to memory of 2368 2764 cmd.exe 54 PID 2764 wrote to memory of 2368 2764 cmd.exe 54 PID 2764 wrote to memory of 608 2764 cmd.exe 56 PID 2764 wrote to memory of 608 2764 cmd.exe 56 PID 2764 wrote to memory of 608 2764 cmd.exe 56 PID 608 wrote to memory of 2208 608 dwm.exe 57 PID 608 wrote to memory of 2208 608 dwm.exe 57 PID 608 wrote to memory of 2208 608 dwm.exe 57 PID 2208 wrote to memory of 2384 2208 cmd.exe 59 PID 2208 wrote to memory of 2384 2208 cmd.exe 59 PID 2208 wrote to memory of 2384 2208 cmd.exe 59 PID 2208 wrote to memory of 1984 2208 cmd.exe 60 PID 2208 wrote to memory of 1984 2208 cmd.exe 60 PID 2208 wrote to memory of 1984 2208 cmd.exe 60 PID 1984 wrote to memory of 2696 1984 dwm.exe 61 PID 1984 wrote to memory of 2696 1984 dwm.exe 61 PID 1984 wrote to memory of 2696 1984 dwm.exe 61 PID 2696 wrote to memory of 2864 2696 cmd.exe 63 PID 2696 wrote to memory of 2864 2696 cmd.exe 63 PID 2696 wrote to memory of 2864 2696 cmd.exe 63 PID 2696 wrote to memory of 2688 2696 cmd.exe 64 PID 2696 wrote to memory of 2688 2696 cmd.exe 64 PID 2696 wrote to memory of 2688 2696 cmd.exe 64 PID 2688 wrote to memory of 1364 2688 dwm.exe 65 PID 2688 wrote to memory of 1364 2688 dwm.exe 65 PID 2688 wrote to memory of 1364 2688 dwm.exe 65 PID 1364 wrote to memory of 1588 1364 cmd.exe 67 PID 1364 wrote to memory of 1588 1364 cmd.exe 67 PID 1364 wrote to memory of 1588 1364 cmd.exe 67 PID 1364 wrote to memory of 748 1364 cmd.exe 68 PID 1364 wrote to memory of 748 1364 cmd.exe 68 PID 1364 wrote to memory of 748 1364 cmd.exe 68 PID 748 wrote to memory of 1740 748 dwm.exe 69 PID 748 wrote to memory of 1740 748 dwm.exe 69 PID 748 wrote to memory of 1740 748 dwm.exe 69 PID 1740 wrote to memory of 1716 1740 cmd.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49a4781e6ef37dba7b2fdd3f5ccefbb54768c9423c3b68e7fcc3de55806ef9e0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49a4781e6ef37dba7b2fdd3f5ccefbb54768c9423c3b68e7fcc3de55806ef9e0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DjfEt6epAa.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2368
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2384
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2864
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1588
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1716
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"15⤵PID:2948
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2628
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat"17⤵PID:2028
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:580
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"19⤵PID:2436
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1448
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"21⤵PID:2596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1560
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"23⤵PID:2484
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58da3cdbd9d640837d7303c3333b64708
SHA1268f37beb9fecdf1d6150c40e55b7601bd702038
SHA2562219d38ad2a6b46a069ec167a377e6fe82d22637cacea55b6261f29e389567d5
SHA512d57086a2e102a5bb8f9d87c4c820e0e8bcf20a7153a091b7414e2d1930cd90efce073deaec295081f5b54ac2a9a9f85d68c38f7c107f941ee946a27300fb3907
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51ff3bb6a97c66afdf4ff3f7bdc359229
SHA169614bf9924d78bf2683f4a8f13fe3b5088a3b71
SHA256a303aef3fc1999a24725574661c3c92c3cede57ebfae8f7c41279fb3ec54066d
SHA51265c101c2f75944807ed14a77c664ef2df9d60b8b1c124d673b8b71996d87abfed75d3673c16dec7a20082776fe1e1320d7b8250b781a1b4f83df6e77af2c3cd8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f0cb9a388697576777745ee745b769e7
SHA15a5959b18eb3d1a2ad9ef78bd65b422fb477dc67
SHA2562290d3e0b804998b41063224a50b3c53bda066ad457ad24ebb9f98429cfaca71
SHA512102b2ff28b16fddf5eece62b88ac277859662c6760271d0c3caa456a1cd568f093e2d053e58d32dec604e32adca72cc345c04ca2d3f25b66cab23dad5105c859
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de09df83f9f35157dba53eff31487dfe
SHA1b0c9d491b3692c58066fde9257a336ae92f936a9
SHA2569206adf663a5d78178cbb54a471a5765f4a603c24e28bf95fa35d6d29b120449
SHA51220d7f8e9287ebb479e995b2eef0f51dbd03e2124a8026c5029769aa02f0567dc78118f026cf458551b5c859d38940cdb3ba048d12788a30cb19fc9a4988ef33e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cd5d3c4411903ec72a98cab59bf493ba
SHA13b70ad8f162871b919ea4819a3353dc15e954016
SHA256b922503ce70446ee069da1ff24195ef3d643c0f6d47700e92c0501ff6fdbf1bd
SHA51274b4f5e50785f0390cb71f14ba2013e533d10019148d1015f005a8f941ce9d82259480ae98fcb85482bc45d79feb60387e00678468bd04561180ae020b15785a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f50c3eb615a96d5847080803f840ef89
SHA1be69b92140c8c3292e9a3601c28eb1fbed9913cd
SHA2562f1395e2a30ee68d29512791b0d08a4910c196d859d13c59f4ad8f3d44b9fa35
SHA51241b5a573bdddaa472a7342e7a13bce9f988e169a94aa87a7bdcf2c119fb4d967d5d78271cbc3ce381ca7a1856af0b8545cab450e9513a34261cfcd4392e2371d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ad059ce6b9d44e56130b948925db0f5f
SHA16f321cae9bc0a326bb0d0a9128455e67495d4cc4
SHA256060984d9195fd1693feedf1de8ca12408b8e83b0c5dc2251735cf4f4d2f4c435
SHA512fdba8596111aa03bcd149df2ca34cd8955e1647cd824d33fa7955a021c4cbdc502ff3ac70fb9abab95d80a2865356ff0755c933f51f1ab15b38603285d4b83cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59a79dc5b41d3db8fbc91607956c6d4f7
SHA123a558f1389fa7140c20432d65a4e03e32a232a3
SHA25672fc0cd3481f764905c732002a44617994bcef400f33baa065bf92c207e53c11
SHA5127bb34e083c21382992fcaafdafb0b1d253652ad1d28b6e1b22c25ec90b6e11166e65de31670689f1f8afb70ce16d6031fb944733010fb41bf062f0361f99147f
-
Filesize
221B
MD553a5837c553811f2d8994e92819317c5
SHA1461b0ae4fa0df7fad7211ebbd9d90a317a6e860f
SHA256d117e684b50e4516ff7ad86e47a23bcd5cc78c2f37134a84bba879b3f3399343
SHA51215209838028cfdc7e955ab497869f3951a5db70f4b444951078e338c44096a00d1a7ebae3b01ab0dccc9229c85070d926faf29d2cb3d3f4274f193b9ed995eac
-
Filesize
221B
MD50b56f8485a8419af28dcc00152016346
SHA1ea086d722e9d44e702a716e2dda84991d567fe5d
SHA256d1200957b48d56199be71f27b5673ec5602b8127befbc4bf1b91fdfe69bd74ec
SHA512287a8f9be011340803b5e7f31da5bf236d1fb10d9bdac996d2b517d4555b0b435b5838c43553d7bbb79ca1a0dcf665b3a4d35b0ebc7f8ba8f2d0e5d468cc3466
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
221B
MD5f7f9761e6e4b07cf720d5de39f05554d
SHA17f7b9ec2e6467e78211b0935e8b44314642d82ce
SHA256fe8afc7f4e76eb71f178944fc3d47688afce863827f0d067ff40f4a5e1912e8a
SHA512315cb141fa12ef108e2c608efb884de022a5f00b94b5a4f545deed5f0e91e1a8155c8446b0b865c7c4e9444438cc7ecbad179f4532f7ba1c3e4b6172e013d46b
-
Filesize
221B
MD5f408420d8c20c52d1afbc0ef89a6c3bf
SHA130aae71279e3fecffd62463e6c7f3cc112538f8a
SHA2561c3c1292b77d256fe420ae86b808fad8b109f6374f6496fc3e7df1b0237eb194
SHA512621d7f77b09de6482a3ec5a47d2ddf4a66b90c25285e3a27aa40b3c9c9d77ddb0bb2e744e7c4c9d2b0c344acc14903d3a3eda9d391354ab77a4980e062a57c77
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
221B
MD5333184cd10a890c166e599569b93fe51
SHA1cbc3238b1159f770232ff1c3ec0853c356364360
SHA256ae8f69f7dd67a56551c3ab88dcea7573417e8a3c35e63a24f4559687bc602d37
SHA512e96920e26c39f87fe5028396613cda4a1884d6de9b01bb57029481668da6043452892898273b1a3304565844539cd1bb67737ff8f9a6c7449b7c541cd9222292
-
Filesize
221B
MD5f67fd487b207d053e09027000fdd0d60
SHA1d5433ecdcc22d43b0943ea534f0925cde21ed55a
SHA256baa7f7cda7e71002e30718673568446cb7d94d829c883cc6dede2e961d119dde
SHA51248fdbcd8d12ce6258930cd4d629c98e3aaab2515fac15e207d4a5d1bd634a0017746d290a488dadb802ddb17227d35cc17ecb61670f596d3ce904e42ac8b8cad
-
Filesize
221B
MD5fec971f6cfe144734b3f512f5fa7f26b
SHA1553808dd0d5267384fc98f1ee11fe3dadfd5c634
SHA256ca3906e5f22cd9e68beb766298003d1155d3a60bee296a9e99c529f392cad8e7
SHA5127b0dcece962f0ee42cfd9dfcd19a4a90336aa7d398047b0459a3efbb5dc036827fe7a594743ca83de104c63536bf770248fe9307c23ee92a8428613b0c91bd74
-
Filesize
221B
MD5490ea59eaf7a0946ce2299b613c698d0
SHA1b01785799f027c07d3493d594501f6e481be9159
SHA256cacd6e7bb2503db059a1912ed4225fc1995c0f3d56f0835bf0fcefabaf988e6c
SHA5126732aa309761d5de339ee6108465509fb6e28da029b665691e48b4fac0eedd9a9caf6f15cbcc2747af14708216316cf3612bc4b5fccf1a8f001b5e4887a093c8
-
Filesize
221B
MD50ee943e14fe809532decef5a448104c3
SHA14ccea2f14acc8303620075b0aec32cb9d0f44967
SHA2565a101ddc25bfee3514607cdbb74d45cc03dab85d1a41d494ddd25504c7d31fe4
SHA5126bf642e65c5ef62e0373667dbad81172f520adb15c555c32abead86f6e8d213f7ed7d356fb1e18fc8e72e9cd44e9afdf5aa135da0e814156d9a6af66bfeaa8a4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD566cd1bec7259d12dcedbf071e6ca0059
SHA185017c6a1a0f5a07bbce895effc4c0fbb4c68361
SHA2565426bcb20a2646d7f033483474dd6e47d29848076ca837eb63eb96854b24ec0d
SHA512a9d039e3522713bf47ad17de08f2d08f98cc4840a2476b7f3b320a65f570d86e9afd80d21ec40443fb1b2041448a96e9ae0fd9d1e5dc8c0d4158e64fbb900118
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394