Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 00:51
Behavioral task
behavioral1
Sample
JaffaCakes118_552ab9c3efbb5b91780671a3df45a082a01781e73af8ab5bea9a7d6e2f726067.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_552ab9c3efbb5b91780671a3df45a082a01781e73af8ab5bea9a7d6e2f726067.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_552ab9c3efbb5b91780671a3df45a082a01781e73af8ab5bea9a7d6e2f726067.exe
-
Size
1.3MB
-
MD5
2be7d612fa9570d1e960dec0852392ff
-
SHA1
08860259e9c965f8b9ff1b229dce4070d425b2fd
-
SHA256
552ab9c3efbb5b91780671a3df45a082a01781e73af8ab5bea9a7d6e2f726067
-
SHA512
322357b56166e85db296775111c0d8e778d004d17035358242dac16d498e53542df63340e355cf20b14c80d033130b56b01f97e69f74288eee9abb98832f0d4e
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2712 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 2712 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00080000000195c6-9.dat dcrat behavioral1/memory/2688-13-0x0000000000D00000-0x0000000000E10000-memory.dmp dcrat behavioral1/memory/1092-73-0x0000000000DA0000-0x0000000000EB0000-memory.dmp dcrat behavioral1/memory/1728-133-0x0000000000FE0000-0x00000000010F0000-memory.dmp dcrat behavioral1/memory/2348-252-0x00000000011E0000-0x00000000012F0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 768 powershell.exe 2420 powershell.exe 2512 powershell.exe 2564 powershell.exe 2468 powershell.exe 2520 powershell.exe 436 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2688 DllCommonsvc.exe 1092 lsass.exe 1728 lsass.exe 2000 lsass.exe 2348 lsass.exe 1456 lsass.exe 2860 lsass.exe 1908 lsass.exe 2616 lsass.exe 1464 lsass.exe -
Loads dropped DLL 2 IoCs
pid Process 2912 cmd.exe 2912 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 4 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\5940a34987c991 DllCommonsvc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\winsxs\x86_microsoft-windows-d..rectplay8.resources_31bf3856ad364e35_6.1.7600.16385_en-us_38b5a1fc830bbf8b\dwm.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_552ab9c3efbb5b91780671a3df45a082a01781e73af8ab5bea9a7d6e2f726067.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3012 schtasks.exe 2700 schtasks.exe 2440 schtasks.exe 384 schtasks.exe 2532 schtasks.exe 2988 schtasks.exe 1020 schtasks.exe 236 schtasks.exe 1696 schtasks.exe 2952 schtasks.exe 3036 schtasks.exe 2448 schtasks.exe 2704 schtasks.exe 784 schtasks.exe 2192 schtasks.exe 1976 schtasks.exe 2372 schtasks.exe 2720 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2688 DllCommonsvc.exe 2688 DllCommonsvc.exe 2688 DllCommonsvc.exe 2468 powershell.exe 2564 powershell.exe 436 powershell.exe 2520 powershell.exe 768 powershell.exe 2512 powershell.exe 2420 powershell.exe 1092 lsass.exe 1728 lsass.exe 2000 lsass.exe 2348 lsass.exe 1456 lsass.exe 2860 lsass.exe 1908 lsass.exe 2616 lsass.exe 1464 lsass.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2688 DllCommonsvc.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 436 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1092 lsass.exe Token: SeDebugPrivilege 1728 lsass.exe Token: SeDebugPrivilege 2000 lsass.exe Token: SeDebugPrivilege 2348 lsass.exe Token: SeDebugPrivilege 1456 lsass.exe Token: SeDebugPrivilege 2860 lsass.exe Token: SeDebugPrivilege 1908 lsass.exe Token: SeDebugPrivilege 2616 lsass.exe Token: SeDebugPrivilege 1464 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2940 2772 JaffaCakes118_552ab9c3efbb5b91780671a3df45a082a01781e73af8ab5bea9a7d6e2f726067.exe 30 PID 2772 wrote to memory of 2940 2772 JaffaCakes118_552ab9c3efbb5b91780671a3df45a082a01781e73af8ab5bea9a7d6e2f726067.exe 30 PID 2772 wrote to memory of 2940 2772 JaffaCakes118_552ab9c3efbb5b91780671a3df45a082a01781e73af8ab5bea9a7d6e2f726067.exe 30 PID 2772 wrote to memory of 2940 2772 JaffaCakes118_552ab9c3efbb5b91780671a3df45a082a01781e73af8ab5bea9a7d6e2f726067.exe 30 PID 2940 wrote to memory of 2912 2940 WScript.exe 31 PID 2940 wrote to memory of 2912 2940 WScript.exe 31 PID 2940 wrote to memory of 2912 2940 WScript.exe 31 PID 2940 wrote to memory of 2912 2940 WScript.exe 31 PID 2912 wrote to memory of 2688 2912 cmd.exe 33 PID 2912 wrote to memory of 2688 2912 cmd.exe 33 PID 2912 wrote to memory of 2688 2912 cmd.exe 33 PID 2912 wrote to memory of 2688 2912 cmd.exe 33 PID 2688 wrote to memory of 436 2688 DllCommonsvc.exe 53 PID 2688 wrote to memory of 436 2688 DllCommonsvc.exe 53 PID 2688 wrote to memory of 436 2688 DllCommonsvc.exe 53 PID 2688 wrote to memory of 768 2688 DllCommonsvc.exe 54 PID 2688 wrote to memory of 768 2688 DllCommonsvc.exe 54 PID 2688 wrote to memory of 768 2688 DllCommonsvc.exe 54 PID 2688 wrote to memory of 2420 2688 DllCommonsvc.exe 56 PID 2688 wrote to memory of 2420 2688 DllCommonsvc.exe 56 PID 2688 wrote to memory of 2420 2688 DllCommonsvc.exe 56 PID 2688 wrote to memory of 2512 2688 DllCommonsvc.exe 57 PID 2688 wrote to memory of 2512 2688 DllCommonsvc.exe 57 PID 2688 wrote to memory of 2512 2688 DllCommonsvc.exe 57 PID 2688 wrote to memory of 2468 2688 DllCommonsvc.exe 58 PID 2688 wrote to memory of 2468 2688 DllCommonsvc.exe 58 PID 2688 wrote to memory of 2468 2688 DllCommonsvc.exe 58 PID 2688 wrote to memory of 2564 2688 DllCommonsvc.exe 59 PID 2688 wrote to memory of 2564 2688 DllCommonsvc.exe 59 PID 2688 wrote to memory of 2564 2688 DllCommonsvc.exe 59 PID 2688 wrote to memory of 2520 2688 DllCommonsvc.exe 60 PID 2688 wrote to memory of 2520 2688 DllCommonsvc.exe 60 PID 2688 wrote to memory of 2520 2688 DllCommonsvc.exe 60 PID 2688 wrote to memory of 2508 2688 DllCommonsvc.exe 67 PID 2688 wrote to memory of 2508 2688 DllCommonsvc.exe 67 PID 2688 wrote to memory of 2508 2688 DllCommonsvc.exe 67 PID 2508 wrote to memory of 1692 2508 cmd.exe 69 PID 2508 wrote to memory of 1692 2508 cmd.exe 69 PID 2508 wrote to memory of 1692 2508 cmd.exe 69 PID 2508 wrote to memory of 1092 2508 cmd.exe 70 PID 2508 wrote to memory of 1092 2508 cmd.exe 70 PID 2508 wrote to memory of 1092 2508 cmd.exe 70 PID 1092 wrote to memory of 1676 1092 lsass.exe 71 PID 1092 wrote to memory of 1676 1092 lsass.exe 71 PID 1092 wrote to memory of 1676 1092 lsass.exe 71 PID 1676 wrote to memory of 2184 1676 cmd.exe 73 PID 1676 wrote to memory of 2184 1676 cmd.exe 73 PID 1676 wrote to memory of 2184 1676 cmd.exe 73 PID 1676 wrote to memory of 1728 1676 cmd.exe 74 PID 1676 wrote to memory of 1728 1676 cmd.exe 74 PID 1676 wrote to memory of 1728 1676 cmd.exe 74 PID 1728 wrote to memory of 1724 1728 lsass.exe 75 PID 1728 wrote to memory of 1724 1728 lsass.exe 75 PID 1728 wrote to memory of 1724 1728 lsass.exe 75 PID 1724 wrote to memory of 2560 1724 cmd.exe 77 PID 1724 wrote to memory of 2560 1724 cmd.exe 77 PID 1724 wrote to memory of 2560 1724 cmd.exe 77 PID 1724 wrote to memory of 2000 1724 cmd.exe 78 PID 1724 wrote to memory of 2000 1724 cmd.exe 78 PID 1724 wrote to memory of 2000 1724 cmd.exe 78 PID 2000 wrote to memory of 2056 2000 lsass.exe 79 PID 2000 wrote to memory of 2056 2000 lsass.exe 79 PID 2000 wrote to memory of 2056 2000 lsass.exe 79 PID 2056 wrote to memory of 2556 2056 cmd.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_552ab9c3efbb5b91780671a3df45a082a01781e73af8ab5bea9a7d6e2f726067.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_552ab9c3efbb5b91780671a3df45a082a01781e73af8ab5bea9a7d6e2f726067.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MCoGdzfDFP.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1692
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2184
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2560
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2556
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"13⤵PID:636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:384
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"15⤵PID:264
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2976
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat"17⤵PID:2384
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2684
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"19⤵PID:392
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1448
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"21⤵PID:1904
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:3036
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"23⤵PID:2408
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d101413a9e2c4773de0ba9955cd4d654
SHA1804baef28d342f66711f96188ecd382be752bc47
SHA2564201865578d79d700f342146809d538acb7f6e7546ba89321086ea7799427f8f
SHA5121b0f85c68886dc91cac1b724150017e45a07baa8abc276541ddc140c6566e6ab7cf485bf45ac5fffd313e20e89d72787f555a2ee7b520d18f67abb56ff7678ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD531e87c85bb70660e023adf71aba10772
SHA148beb17b35a8fdc0675cf4bcab87615a030d33b3
SHA2566f54c85ea16566f83c562fbed6823281a09d13ca11e7750f35f03094570aecb2
SHA512f9509cb0de02d6271ba41dcdf214e6855da185cc01ca3f9f461f785d1a850b0f3d7b39322bed73ecb1d67f333da1f1b5360d45942fbdec3fda564d7fc26f8944
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD556bd1d51754c9168be897f4ada605634
SHA10e196c692a7e5d0869af860abc4c40fef0895040
SHA256e44e861a77844c0d39892f51de2e7a8e5050caae678e075267a94d059c523fd0
SHA512df9f37cd089563bcdd40fa3db6ffe4b348e233158cad3f40a28f91be7c3dc40684b9a08f9a37692f4d2331adc41e727ac8e5edb739d4441411d9f89b2ae38416
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58f4c5ca94b690edffe04dd080cd97cd2
SHA1e8fc4c7ec167a699a2564d90848bffe485ff4dfb
SHA256d3e7807812f1cfa591c2bf0a57243c922234804018c68897900ab76434fce310
SHA51266a4cea52f1372b07a420021f93da0b17d75b940084231ce556a622534699a012f0bf03d5551d31b451ac5227c6194d38fc054cd5a97ba333e6f84e3a07b32a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55c9e8a77861790789d793b42915bdd8e
SHA1199875eca720545e82314cce4648a1b261fb545a
SHA2567be34c327f29e4168be83d035dbedcc8eca8bda5697634507eaa253f4b281e48
SHA5122e05cda1502ccb446fe5609f5910f12de9d39ed5a8994ce5eaceb96981f43dd2367a6eda22298f6a7ab914d4bd46c3f2927255742431662ad0f9bec44adeb2a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD532ee833b585a67f9243bfadf3324d063
SHA1c7f6480fec86d591da10a6edbe56b9295d4f9427
SHA25626c93b1621d3364ea0f118e343fb1a5a0e00522018c36c7fda4d08335637b513
SHA512346f94a43f78c88b39a0e794ca5a1c0e3517cec08a4430eb18e54e446109e8947aee639e5c16eb3f83076ba790e48729b5eff1aeba45090124994e3460fa95b7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc2705e15444362e7a258fa64ecaca5b
SHA185d9b12719db3b595475657841ae5f2f023b714d
SHA256ff5364ad4dae001fcc2c854579614c279d63ca926ff348bdd50e6ba23d085390
SHA512ccabc964b6d36531e911364c8298c7e448eda3ce70755ac1139dd2aae01b89f7cb0a8130cc27c7e6e15cac6ceb10a020ca6a092a8ffe83ccc196ae92bd66212d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57daf91012e5b8571d694f64d4dbec557
SHA1ec58db6413608f5e5f425d8986422a97ff00ed24
SHA2569d9e663ab1476fd8ee7ef9e465e9b2ac070b7ddce19cfdd1b6b06b895f29d0cd
SHA51200edaab3a67a6c7d7ad2eca66bfdeabf6530bb7a815631cc66118608d1951f98f3f66b6e3de1e94147dd4e67b237dc62fd56b0de9e86a56c6096611ea227d197
-
Filesize
196B
MD57c5192ef988c331ec7303753fa04bf57
SHA13b21dabb78d595ba21efe4c340cb33033e201541
SHA256040fe419d4a43850f8425d7a84925f34bdb98f509b2a38f68c8265b33cf7a427
SHA51214a68f20a332577843a946b928885430a70ca905e2ed6623eaded3af90aad2c9916d2e903738dbd0fe0bad8f3aa3e3f1a5e00a5dffeb920dcaddca3adc62d080
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
196B
MD5248c43cf4ec700ef7c39c610611f9d4e
SHA1a94e3b135b580b7f6c62dcbaeaac148997c319a5
SHA256133e69eeb4cb854b0035f3ba02df4ce7d561bd4f4ed244f602b0b3b8b7816be3
SHA51209c0160c4e2b244f76fe7e22d45cee559d1de4872feaf30497adc66ce904d2c461435bd94711e2af3f3ab805c274827126d16dcef162eeb28c3cc4ce5e9784c6
-
Filesize
196B
MD522db00402519fdf36fee0770bffb73b9
SHA19ad9abb60d79058e88d9cbb57f419603376e2e3f
SHA25646b0b162a4a609bd9db190494a1a6ab666b801ad68e068a0c578da8d42808d19
SHA5125caf7ab4aa3c5429ba392b3cc2c71a7cd327d2ace99f8c999e48377e43347cb4fbbb6d6a9d8a5d955c8a5fabad451c722714d07900640a7092c819d7a1a2d41a
-
Filesize
196B
MD542966adc9d293e598823a69e536d5b79
SHA10581d105fd109dfdb9b3f84fd70f0b403bdc9f49
SHA256e20888db23c9a2f33a180b9c57248c84b8b830b99924fd01d4a739c3e5de12e8
SHA512a4dc0595f668e278152958ea3bb0999fe79c6d8cda5e371aecb4c0fb4ccd8f8757ee61693e7ea85cd0d19434fda7f4fecedee8d6e6c04c1a4b453691be414914
-
Filesize
196B
MD5d5acb564978fb5cbeaf0b4bda5b281b2
SHA16c1c73cef36e3cc4e2a11f2ad577a9755f74f7d3
SHA256c554a1b44ab0f005aec9bed6cd8541cb470db41379e2ed16dd8559e216ae763c
SHA51263662a6011060d363653f41d3366bab284608e84edc1fe9c8b0206e9ff1f9052571aa02632815bcbb697c70ece1e07f2b913a090cc627a2aa001344e2bc7625e
-
Filesize
196B
MD5e31645da204a33ed00e630b2635cc396
SHA187d72feddd0d2ebde1e5c6c23f393e32f9ddbc1f
SHA256fa53bd7ba4e73487dff279638f30c2a413a532cfa6154af68178f160a99f9217
SHA51211d7a0c305b18e9b58718b2477192d6d6a8706fbe596cfa4fd649c2a17d91b210059c7b6e5c98d4ab26a4ebc48b27da8c33130b408f7f91d971877cd42d31fb0
-
Filesize
196B
MD5384e023e86d92b89843c493ede62217b
SHA17ed60c464fd738812febfbc1b2d0ddd0a2bc1655
SHA256fce53a6f96f665689d52479f0a93fb560657adf7841b1c0a9a84849367e17646
SHA512d4c6e382b8d0459a5f526adebd60fb2a01a16cbe2e3fac194dbdf891a4bffb7b414b4fb11ec87270a61c1debf082a7accb647d14af4573853bc3c87b65137548
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
196B
MD55baaba3944146799cfc435977012ff4f
SHA1681f996ebb466aa19e96ddf9e98ae561ca37e000
SHA256eaeffe5c52e9121654337bc41a418d9635452435caaae0952aa5ce3ac9cf1df3
SHA512f12e01c1aa575a68aa4ed4ac7fcee2cbf3f16619052ff6b5c3426aff690d075662e3aa4eed6a06550eb8381bae56d17064bfc9932f9f0c77a0ff9fca6683be2b
-
Filesize
196B
MD574afbfb9d75a361a02694c990223830b
SHA15c24b454ec1971e06eb5e021e41eb5284df986d5
SHA256ccbe4510e95a6102ba373318f08a4760a10af4986b6ac2be6c8da1a1582f7ca9
SHA51224086faa6d1efd3dd0c4b6508e6447cc4ab041745834ae43d68c26409cf18a7d1cb4328fedddac57401305b4150d8abd2c2b54382be0bb169bf768b6d2e33b6c
-
Filesize
196B
MD54d3bb9d50c0872e46a9f8c3e0e5efe48
SHA1d0b339c10d5f780356a4aaf05490dd4dd955a015
SHA256c933b6c909d351e1ea92c56fcefcb0b4a7f101c92424e5901b85237ada5a7ba0
SHA512e43eb5afe8fd36bad0f366c41679cb6fc257fe5e1115e18e0a59845740d1df7262117a3faa8a6688b6816a280a44c08b23169ca9990f3799627354298eeeed45
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD571670d5ce212f244dbcfeba3f576d5cc
SHA1ec425a8add439cf6157cf485043f472427a39715
SHA2562a45b92851eae707f4695ceda0fef4da89e2901883016e62ac7dfd5495849d38
SHA5125f82ac89c7857246805b2776e92521757e6a6dc4a722cb1fdf3d4251336320f1924315148432cd6c867aaf78a5358f217f1638e03bb0a51934156369e92f7509
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394