Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 23:48
Behavioral task
behavioral1
Sample
JaffaCakes118_15d96e72d4568c68fef818352a49d9ed6fd0f3cbd9356f07c7f5f0beda7d754f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_15d96e72d4568c68fef818352a49d9ed6fd0f3cbd9356f07c7f5f0beda7d754f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_15d96e72d4568c68fef818352a49d9ed6fd0f3cbd9356f07c7f5f0beda7d754f.exe
-
Size
1.3MB
-
MD5
b600d065f4f3f8a65d0dbbf6dd39bcfa
-
SHA1
0cfb2b3a49c26f267572d22edfe40d55e0b33b50
-
SHA256
15d96e72d4568c68fef818352a49d9ed6fd0f3cbd9356f07c7f5f0beda7d754f
-
SHA512
452704620311372b69bd65fbdc7a830163191b3480ac67a8478878e5a747137c05ee35e742ae56ad59197bf56acc4bf92c15ae3745d9fc0778c52be2d615c0b6
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 3040 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00070000000186fd-12.dat dcrat behavioral1/memory/2260-13-0x00000000011D0000-0x00000000012E0000-memory.dmp dcrat behavioral1/memory/2396-43-0x0000000000E60000-0x0000000000F70000-memory.dmp dcrat behavioral1/memory/2716-124-0x0000000001310000-0x0000000001420000-memory.dmp dcrat behavioral1/memory/2088-245-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/2668-306-0x0000000000DD0000-0x0000000000EE0000-memory.dmp dcrat behavioral1/memory/620-366-0x0000000001360000-0x0000000001470000-memory.dmp dcrat behavioral1/memory/1196-426-0x0000000000150000-0x0000000000260000-memory.dmp dcrat behavioral1/memory/1996-486-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1824 powershell.exe 1660 powershell.exe 548 powershell.exe 1744 powershell.exe 1444 powershell.exe 832 powershell.exe -
Executes dropped EXE 9 IoCs
pid Process 2260 DllCommonsvc.exe 2396 wininit.exe 2716 wininit.exe 2952 wininit.exe 2088 wininit.exe 2668 wininit.exe 620 wininit.exe 1196 wininit.exe 1996 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 2740 cmd.exe 2740 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 28 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 25 raw.githubusercontent.com 17 raw.githubusercontent.com 21 raw.githubusercontent.com 9 raw.githubusercontent.com 10 raw.githubusercontent.com 13 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_15d96e72d4568c68fef818352a49d9ed6fd0f3cbd9356f07c7f5f0beda7d754f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2988 schtasks.exe 1988 schtasks.exe 1588 schtasks.exe 2884 schtasks.exe 1876 schtasks.exe 332 schtasks.exe 2756 schtasks.exe 1048 schtasks.exe 1212 schtasks.exe 2848 schtasks.exe 264 schtasks.exe 2892 schtasks.exe 2384 schtasks.exe 1180 schtasks.exe 2592 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 1444 powershell.exe 1824 powershell.exe 832 powershell.exe 1660 powershell.exe 1744 powershell.exe 548 powershell.exe 2396 wininit.exe 2716 wininit.exe 2952 wininit.exe 2088 wininit.exe 2668 wininit.exe 620 wininit.exe 1196 wininit.exe 1996 wininit.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2260 DllCommonsvc.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 832 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 548 powershell.exe Token: SeDebugPrivilege 2396 wininit.exe Token: SeDebugPrivilege 2716 wininit.exe Token: SeDebugPrivilege 2952 wininit.exe Token: SeDebugPrivilege 2088 wininit.exe Token: SeDebugPrivilege 2668 wininit.exe Token: SeDebugPrivilege 620 wininit.exe Token: SeDebugPrivilege 1196 wininit.exe Token: SeDebugPrivilege 1996 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2768 2696 JaffaCakes118_15d96e72d4568c68fef818352a49d9ed6fd0f3cbd9356f07c7f5f0beda7d754f.exe 30 PID 2696 wrote to memory of 2768 2696 JaffaCakes118_15d96e72d4568c68fef818352a49d9ed6fd0f3cbd9356f07c7f5f0beda7d754f.exe 30 PID 2696 wrote to memory of 2768 2696 JaffaCakes118_15d96e72d4568c68fef818352a49d9ed6fd0f3cbd9356f07c7f5f0beda7d754f.exe 30 PID 2696 wrote to memory of 2768 2696 JaffaCakes118_15d96e72d4568c68fef818352a49d9ed6fd0f3cbd9356f07c7f5f0beda7d754f.exe 30 PID 2768 wrote to memory of 2740 2768 WScript.exe 31 PID 2768 wrote to memory of 2740 2768 WScript.exe 31 PID 2768 wrote to memory of 2740 2768 WScript.exe 31 PID 2768 wrote to memory of 2740 2768 WScript.exe 31 PID 2740 wrote to memory of 2260 2740 cmd.exe 33 PID 2740 wrote to memory of 2260 2740 cmd.exe 33 PID 2740 wrote to memory of 2260 2740 cmd.exe 33 PID 2740 wrote to memory of 2260 2740 cmd.exe 33 PID 2260 wrote to memory of 1660 2260 DllCommonsvc.exe 50 PID 2260 wrote to memory of 1660 2260 DllCommonsvc.exe 50 PID 2260 wrote to memory of 1660 2260 DllCommonsvc.exe 50 PID 2260 wrote to memory of 548 2260 DllCommonsvc.exe 51 PID 2260 wrote to memory of 548 2260 DllCommonsvc.exe 51 PID 2260 wrote to memory of 548 2260 DllCommonsvc.exe 51 PID 2260 wrote to memory of 1744 2260 DllCommonsvc.exe 52 PID 2260 wrote to memory of 1744 2260 DllCommonsvc.exe 52 PID 2260 wrote to memory of 1744 2260 DllCommonsvc.exe 52 PID 2260 wrote to memory of 1444 2260 DllCommonsvc.exe 53 PID 2260 wrote to memory of 1444 2260 DllCommonsvc.exe 53 PID 2260 wrote to memory of 1444 2260 DllCommonsvc.exe 53 PID 2260 wrote to memory of 832 2260 DllCommonsvc.exe 54 PID 2260 wrote to memory of 832 2260 DllCommonsvc.exe 54 PID 2260 wrote to memory of 832 2260 DllCommonsvc.exe 54 PID 2260 wrote to memory of 1824 2260 DllCommonsvc.exe 55 PID 2260 wrote to memory of 1824 2260 DllCommonsvc.exe 55 PID 2260 wrote to memory of 1824 2260 DllCommonsvc.exe 55 PID 2260 wrote to memory of 2396 2260 DllCommonsvc.exe 62 PID 2260 wrote to memory of 2396 2260 DllCommonsvc.exe 62 PID 2260 wrote to memory of 2396 2260 DllCommonsvc.exe 62 PID 2396 wrote to memory of 2408 2396 wininit.exe 63 PID 2396 wrote to memory of 2408 2396 wininit.exe 63 PID 2396 wrote to memory of 2408 2396 wininit.exe 63 PID 2408 wrote to memory of 2596 2408 cmd.exe 65 PID 2408 wrote to memory of 2596 2408 cmd.exe 65 PID 2408 wrote to memory of 2596 2408 cmd.exe 65 PID 2408 wrote to memory of 2716 2408 cmd.exe 66 PID 2408 wrote to memory of 2716 2408 cmd.exe 66 PID 2408 wrote to memory of 2716 2408 cmd.exe 66 PID 2716 wrote to memory of 696 2716 wininit.exe 67 PID 2716 wrote to memory of 696 2716 wininit.exe 67 PID 2716 wrote to memory of 696 2716 wininit.exe 67 PID 696 wrote to memory of 2492 696 cmd.exe 69 PID 696 wrote to memory of 2492 696 cmd.exe 69 PID 696 wrote to memory of 2492 696 cmd.exe 69 PID 696 wrote to memory of 2952 696 cmd.exe 70 PID 696 wrote to memory of 2952 696 cmd.exe 70 PID 696 wrote to memory of 2952 696 cmd.exe 70 PID 2952 wrote to memory of 1716 2952 wininit.exe 71 PID 2952 wrote to memory of 1716 2952 wininit.exe 71 PID 2952 wrote to memory of 1716 2952 wininit.exe 71 PID 1716 wrote to memory of 756 1716 cmd.exe 73 PID 1716 wrote to memory of 756 1716 cmd.exe 73 PID 1716 wrote to memory of 756 1716 cmd.exe 73 PID 1716 wrote to memory of 2088 1716 cmd.exe 74 PID 1716 wrote to memory of 2088 1716 cmd.exe 74 PID 1716 wrote to memory of 2088 1716 cmd.exe 74 PID 2088 wrote to memory of 2376 2088 wininit.exe 76 PID 2088 wrote to memory of 2376 2088 wininit.exe 76 PID 2088 wrote to memory of 2376 2088 wininit.exe 76 PID 2376 wrote to memory of 2408 2376 cmd.exe 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_15d96e72d4568c68fef818352a49d9ed6fd0f3cbd9356f07c7f5f0beda7d754f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_15d96e72d4568c68fef818352a49d9ed6fd0f3cbd9356f07c7f5f0beda7d754f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2596
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2492
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:756
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2408
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"14⤵PID:1936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1780
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"16⤵PID:2520
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2208
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat"18⤵PID:2704
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1224
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f7ba3452b7b839082b19b96b2de78301
SHA169cbfd9c7a4add764dad6501cd767b3130141a21
SHA2568fdbf713d2f6a957ac928c8331a60d2db9f9e32ca685b3f496125c0b6e4e45a3
SHA512bb105329637d49d4daaae69e8e088c292c7c92981d02e4667baf6a59459022afc20ba3cebef9a6872f3ec161be2a993e28f81e3884aaf18c7ae48010dae39719
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56ca50d7c2b6ba5c603c4ae99a1953330
SHA1ee27439edd706620ac8b6ba6a4d6d5162c0cba7a
SHA2566af00a1d6f702e7ef5a2447a475b0e71e0acc75e7abc4d5b06fc1d2d337f77be
SHA5124847ec8f4f4eec2541ed771183faf23bcd50584b9b60b33743049f1f21442cdae13f33c12bb19109aad48167959c09a1bbaebd97a2d2784a0ff5a1b8da83c8f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59dd0f1d272e8e0bc03c4cdd16900c248
SHA1e41b6ae5adb323b6396c8ccc38d4b3a6a24196e2
SHA256994a37ddb625bd06d54acecca8bf114a176dacedc9a991714c91e0c1f7a4ed65
SHA51284be7e6deecb9be60482b5b8674348f4fdfed13a6e1b62913a14be6e1c7518ab9e86ee54f88e199379d52e85ad5f02594618784d2d412eefe2ec657159d5d137
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c80556d45112bd6492aa9bd29a93168e
SHA1d21b0a3f1b54ed052dd31501b161519f63e50ed9
SHA2564532cf90fa2357a13c36a4156205dc5ed54a677ebda4564b7dec137a8b218531
SHA51291dd38fce34010e9dacf3f1a6ed1bb00bab18cb8dc42cb29bc6499d90f7a3c16282e111736e19fdf9266b792021261c724fae1fe1212f0595229949983f606c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5846f9b5e67a39f738730ebafcb55656e
SHA17a5fa1decbb581716ab5fb23515b158ff7332de0
SHA2561730c451f1229e8d520cf605c90655569f00973a3fcde9bef0c3e2d72c0c4d68
SHA51216139960ca589176cbc5641a53a21a6e432fe3ffd04c71bb4b780e19abc6d294b6d0f748662db4ea64e85f6198e8d8a570118c8001b450ba1338d147cde5521c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD539d839ead5e1ed3a47f51c9f0c4b5314
SHA10b72007c2a45e4a6e02ec1fdb2498dff9f959816
SHA256461680b19dd3de3a7919bf5f3dfdbd2674e0729001a3e99e22dd358358019bd6
SHA512dbae08f316701d7a132b76ce30e7718ff4d176e78daa249ceac27267b1f21da71120569d5facebb1c53b069538a9ed0d6ddf3e50a2d79f55bcfd8b148a6d9872
-
Filesize
194B
MD5b21cef0dd0b18728e8e204c3faedb733
SHA1db96d4dbdd8db58419d922dc9e607fcc301ca9fb
SHA256a02bb567aa1703bde95c3d5c53d081b349bbec6c3b6f5c45eb6faee1560447fc
SHA51200eb2ce8c651c5f8fc044bb06f305445a5fee9f1c81a5093ba3e52f6d3a9076bc9e11ec5318b7bbcce3fe2de08e8848982a0548af309bc49d7abab646a7c00bb
-
Filesize
194B
MD5bec693ca779004f06b85360ed6ffb98e
SHA1544f072758eed357ad36780bada6a05e01ffd239
SHA256e2c089a31b2690122aa4c5533e6f2654e7e7727d2693686d33f8dd8406835d49
SHA512af4cbe216147f2710dc784ac9e9bb8f5050fa4eaadf15fc914f52d6f7170e487fbdc991e6571ecd5bcca5604160a107f56d389c383aaea726d048f53a8246c13
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
194B
MD5b077d4c1d796d6bccea2c5d6d0a82986
SHA1802fd709227dbfe5863f332e9cb9f536a7101c5f
SHA256ff370e2c8ef2e5767c6cd87afc214bcd7d8985ab2965ba9d9c8684ebfb33776c
SHA512bb09ee86de84b5f1d926c212beb82109cc41508498acb1fb0aead70b981c445fec4a6726a94e5d595e893294bb7cfeabb6ea1370709559ef9547522e3aabd6bb
-
Filesize
194B
MD5970cc7cbe8ae3eda77e0eebd80403253
SHA1fe1a122a625a77512405f5e6dd925328c12ac742
SHA256ffb8e0616b8bcd2161c590713d6e27871a17c60d9df3644f7f7c137cfacbe99c
SHA51258dc23fbbe680ca04db4d18b00b7cd2484083a80b5fe3a142292d481c1567345f8bbe9173468fb84066507ff7cbb988dfa05c581bd15019b94d49a988280cb4d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
194B
MD54e38fb1320854f3854ec71c7b1468a3e
SHA1e1181163eca89dd51e9b1111a71a04de422c1d11
SHA2568a9bd5e2c1183892c45b13acbe64a17b4ef43ad8b56612f7f383d2aa2b2384d2
SHA512d01c1c76df6a486faa7122e438beb26ff2296775ca9031a364e5ebea1afb20a1952ece168d1e10232105c78aac509df73668dd0bdcc7d7871879d6d731e4745f
-
Filesize
194B
MD51b1306622220515364986a4e0cbbf54a
SHA12821764d0f61d37c99081014764f2b45c5a0d84e
SHA25604e57818801f38a114bcd1a9f11e79f0ef740f69139dfe946ff3cea5e59aeeba
SHA512764d8af294683891c089dd9c69da0c6b0f8ae8f9ed9d245af9cfb302081bf30b5be15e057fd65aed6b8fe01d4db7d0d9c6a404d3973894f3410f1ed307ce9852
-
Filesize
194B
MD59d3d41f968f2bac3c02128d6815e296d
SHA1585dab7cb4d16558914f6af6c59bb0221916c0a0
SHA2560adb72530a0baed8236c9e816780e260a61c2f9d8fbeada007183cd58d400f5a
SHA512abf3e9ded6edbcb453c6c7b9c56e3816b57c40ff2ecd36a80ef68b63ea4ce5efbdb91ee4e5a68caf3c5c218712c3c54489fe82394b744e6f67fa09ab4b8641fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KMCGF17TQQ42ETGY40I6.temp
Filesize7KB
MD598117e3a8d74cda496bdae9265a891f2
SHA15f07bc1f92cd60da8c7839704d5ea46d63157438
SHA25632bb5c939137c9489569af509c0fbcca7aa4eeae1e8ad7e68a97ff0a7e8086b0
SHA51279c82d5cad825076b6e4e5e58d2faef6aa7bbce6fcb477291deb70eccca8502bbaa884cf1da57e56afeab4dee4d2484419468abb72dc29d4ca146f7aed2138c2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478