Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:27
Behavioral task
behavioral1
Sample
JaffaCakes118_0a5fdf9c9a479aec971378a7eab07d2e52e731ec1a8db34a913fba199deef67e.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_0a5fdf9c9a479aec971378a7eab07d2e52e731ec1a8db34a913fba199deef67e.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_0a5fdf9c9a479aec971378a7eab07d2e52e731ec1a8db34a913fba199deef67e.exe
-
Size
1.3MB
-
MD5
1304a2add2be8b4667d920069a5d8247
-
SHA1
b4715f3dc3c122330521e51a494e90c6969d332b
-
SHA256
0a5fdf9c9a479aec971378a7eab07d2e52e731ec1a8db34a913fba199deef67e
-
SHA512
1d2e418c4e64ac8b760ac03a3464a967c5331210a50d7d57cbf759b039ea4ad99f8eafa146390a6dc86351cadd69de9bbd340547072503f94c08b42e0ac386fc
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2792 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2792 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2792 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2792 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2792 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2792 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000015ef6-12.dat dcrat behavioral1/memory/1644-13-0x0000000000F20000-0x0000000001030000-memory.dmp dcrat behavioral1/memory/2596-28-0x0000000000E70000-0x0000000000F80000-memory.dmp dcrat behavioral1/memory/1100-163-0x0000000001070000-0x0000000001180000-memory.dmp dcrat behavioral1/memory/1408-223-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat behavioral1/memory/1928-284-0x0000000001160000-0x0000000001270000-memory.dmp dcrat behavioral1/memory/2568-642-0x0000000001370000-0x0000000001480000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2688 powershell.exe 2576 powershell.exe 2824 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 1644 DllCommonsvc.exe 2596 wininit.exe 936 wininit.exe 1100 wininit.exe 1408 wininit.exe 1928 wininit.exe 3024 wininit.exe 2640 wininit.exe 2124 wininit.exe 884 wininit.exe 2976 wininit.exe 2568 wininit.exe 604 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 1732 cmd.exe 1732 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 12 raw.githubusercontent.com 25 raw.githubusercontent.com 32 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 28 raw.githubusercontent.com 38 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\56085415360792 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Cursors\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\Cursors\csrss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0a5fdf9c9a479aec971378a7eab07d2e52e731ec1a8db34a913fba199deef67e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2640 schtasks.exe 2548 schtasks.exe 2560 schtasks.exe 2404 schtasks.exe 2084 schtasks.exe 2656 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1644 DllCommonsvc.exe 2824 powershell.exe 2576 powershell.exe 2688 powershell.exe 2596 wininit.exe 936 wininit.exe 1100 wininit.exe 1408 wininit.exe 1928 wininit.exe 3024 wininit.exe 2640 wininit.exe 2124 wininit.exe 884 wininit.exe 2976 wininit.exe 2568 wininit.exe 604 wininit.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1644 DllCommonsvc.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2596 wininit.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 936 wininit.exe Token: SeDebugPrivilege 1100 wininit.exe Token: SeDebugPrivilege 1408 wininit.exe Token: SeDebugPrivilege 1928 wininit.exe Token: SeDebugPrivilege 3024 wininit.exe Token: SeDebugPrivilege 2640 wininit.exe Token: SeDebugPrivilege 2124 wininit.exe Token: SeDebugPrivilege 884 wininit.exe Token: SeDebugPrivilege 2976 wininit.exe Token: SeDebugPrivilege 2568 wininit.exe Token: SeDebugPrivilege 604 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2428 1656 JaffaCakes118_0a5fdf9c9a479aec971378a7eab07d2e52e731ec1a8db34a913fba199deef67e.exe 28 PID 1656 wrote to memory of 2428 1656 JaffaCakes118_0a5fdf9c9a479aec971378a7eab07d2e52e731ec1a8db34a913fba199deef67e.exe 28 PID 1656 wrote to memory of 2428 1656 JaffaCakes118_0a5fdf9c9a479aec971378a7eab07d2e52e731ec1a8db34a913fba199deef67e.exe 28 PID 1656 wrote to memory of 2428 1656 JaffaCakes118_0a5fdf9c9a479aec971378a7eab07d2e52e731ec1a8db34a913fba199deef67e.exe 28 PID 2428 wrote to memory of 1732 2428 WScript.exe 29 PID 2428 wrote to memory of 1732 2428 WScript.exe 29 PID 2428 wrote to memory of 1732 2428 WScript.exe 29 PID 2428 wrote to memory of 1732 2428 WScript.exe 29 PID 1732 wrote to memory of 1644 1732 cmd.exe 31 PID 1732 wrote to memory of 1644 1732 cmd.exe 31 PID 1732 wrote to memory of 1644 1732 cmd.exe 31 PID 1732 wrote to memory of 1644 1732 cmd.exe 31 PID 1644 wrote to memory of 2688 1644 DllCommonsvc.exe 39 PID 1644 wrote to memory of 2688 1644 DllCommonsvc.exe 39 PID 1644 wrote to memory of 2688 1644 DllCommonsvc.exe 39 PID 1644 wrote to memory of 2576 1644 DllCommonsvc.exe 40 PID 1644 wrote to memory of 2576 1644 DllCommonsvc.exe 40 PID 1644 wrote to memory of 2576 1644 DllCommonsvc.exe 40 PID 1644 wrote to memory of 2824 1644 DllCommonsvc.exe 41 PID 1644 wrote to memory of 2824 1644 DllCommonsvc.exe 41 PID 1644 wrote to memory of 2824 1644 DllCommonsvc.exe 41 PID 1644 wrote to memory of 2596 1644 DllCommonsvc.exe 45 PID 1644 wrote to memory of 2596 1644 DllCommonsvc.exe 45 PID 1644 wrote to memory of 2596 1644 DllCommonsvc.exe 45 PID 2596 wrote to memory of 1784 2596 wininit.exe 46 PID 2596 wrote to memory of 1784 2596 wininit.exe 46 PID 2596 wrote to memory of 1784 2596 wininit.exe 46 PID 1784 wrote to memory of 1076 1784 cmd.exe 48 PID 1784 wrote to memory of 1076 1784 cmd.exe 48 PID 1784 wrote to memory of 1076 1784 cmd.exe 48 PID 1784 wrote to memory of 936 1784 cmd.exe 51 PID 1784 wrote to memory of 936 1784 cmd.exe 51 PID 1784 wrote to memory of 936 1784 cmd.exe 51 PID 936 wrote to memory of 1636 936 wininit.exe 52 PID 936 wrote to memory of 1636 936 wininit.exe 52 PID 936 wrote to memory of 1636 936 wininit.exe 52 PID 1636 wrote to memory of 1972 1636 cmd.exe 54 PID 1636 wrote to memory of 1972 1636 cmd.exe 54 PID 1636 wrote to memory of 1972 1636 cmd.exe 54 PID 1636 wrote to memory of 1100 1636 cmd.exe 55 PID 1636 wrote to memory of 1100 1636 cmd.exe 55 PID 1636 wrote to memory of 1100 1636 cmd.exe 55 PID 1100 wrote to memory of 2000 1100 wininit.exe 56 PID 1100 wrote to memory of 2000 1100 wininit.exe 56 PID 1100 wrote to memory of 2000 1100 wininit.exe 56 PID 2000 wrote to memory of 792 2000 cmd.exe 58 PID 2000 wrote to memory of 792 2000 cmd.exe 58 PID 2000 wrote to memory of 792 2000 cmd.exe 58 PID 2000 wrote to memory of 1408 2000 cmd.exe 59 PID 2000 wrote to memory of 1408 2000 cmd.exe 59 PID 2000 wrote to memory of 1408 2000 cmd.exe 59 PID 1408 wrote to memory of 3060 1408 wininit.exe 60 PID 1408 wrote to memory of 3060 1408 wininit.exe 60 PID 1408 wrote to memory of 3060 1408 wininit.exe 60 PID 3060 wrote to memory of 2916 3060 cmd.exe 62 PID 3060 wrote to memory of 2916 3060 cmd.exe 62 PID 3060 wrote to memory of 2916 3060 cmd.exe 62 PID 3060 wrote to memory of 1928 3060 cmd.exe 63 PID 3060 wrote to memory of 1928 3060 cmd.exe 63 PID 3060 wrote to memory of 1928 3060 cmd.exe 63 PID 1928 wrote to memory of 1440 1928 wininit.exe 64 PID 1928 wrote to memory of 1440 1928 wininit.exe 64 PID 1928 wrote to memory of 1440 1928 wininit.exe 64 PID 1440 wrote to memory of 1528 1440 cmd.exe 66 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a5fdf9c9a479aec971378a7eab07d2e52e731ec1a8db34a913fba199deef67e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a5fdf9c9a479aec971378a7eab07d2e52e731ec1a8db34a913fba199deef67e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:792
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2916
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"16⤵PID:1472
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2852
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat"18⤵PID:1960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:776
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"20⤵PID:1856
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2056
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"22⤵PID:2248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat"24⤵PID:2464
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2636
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"26⤵PID:2116
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2920
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b71a6eaa1cd7ffcf116152e94be029ef
SHA145f5e7e92b62c95bb9b40aa5fb7d0f910f5f8f4b
SHA25697c7e5593eae813a159484ee04c391b5764005389f2b46c3aa593b6d1bd25ad7
SHA512eb7c5dfd9626dc17f61e04835e37356a6d0f7415e55a2e6f3488b5637665520ba659fe5bf985408f7478ba21aba381bfb736fb2f859e438af4193b96db5647e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD590073e3b084fce5044e566008d5476b0
SHA17cf42eaff90731e554c3946cb892f4052391fd57
SHA256a96387e01f48f6f0f9a173f4056ba9495456a610b0667e26aba9116021c1e3fc
SHA512ca76ec5cdf79ceee7e96f14c3460b2e5497519b9cb80868301f84db76decb2e4e3340adfa9d3ee5426c02a4e53992eb454c12f1c30c586c1721ba24c333f3967
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD548e2a3f1c766c83d10babf5e560c50d5
SHA18c3ceb8e5d08ea28271717eb21b671c6fbe85703
SHA25638d65c13ecc28c1a743f61501cb661f6f77270c5ad920649638f693bcb0e8641
SHA512784721be54072c1efde470c382dd5244dea4af49bfe74cac9414074bed0b3dd192474b988687b01b6a3cc37f45e276d47d9b064714ea69e52ec75ae277cfde5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f4ee716d0ca501c7945f5ec447d4f3ef
SHA1204b6f75bf0a82abec970b1e2b413af25e8497c0
SHA2563a9df01bf684a098da1825303fb68b98e9784edd87a18754049c01f91812dd5e
SHA51235170503d238c7ae75571863b25f4006085306d0532856c40980a4f0d6148341af69b267c9cbceb08482c7bc819c846945c36742e14772d257e9b52312fe01b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ec4080ffc79f627a06423e036a2e213
SHA116af726f51732915de9fbceebd91c1216774a1a0
SHA256d2ad4ac69fab6ef173a947174468a17dd0f613740a815d026ed4ccb034e0fd49
SHA5127d7e72f84831550e4d4907774944932138c66ef153f2baff701d7c784f930b9381fcd5982999f8d0bf37d3f1de1edd180619a2bcf41cd8a883aa5ac12b6e5e12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58385ca1c3e1791d4f649c7d95ae7c8a5
SHA15a4a7917bdaed5a631b3e659bd50315fb6c72650
SHA256827cb61b4494cb6f04bddb5bccd63758dd3ca2cbcf5a0967d14c8911cf7794a6
SHA5125b9572165006b576f20b893b4a7e436aa23d4d3141591e86f56dd4dce6a006930c5fc06a5f676fad76f883c47aecebf525722ffd8811a9f53575fd109373e9f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b3deff7356da1132e0609a679a42e0dd
SHA1b2bfeb64765c2a76635b0af883f6efee1d45d8fa
SHA256f03db8ab02bd7c2b082dcfce588736a8d7dea0dc3146a2b202ac63979c3babb3
SHA512ca02c14e82c8208876bad2085f53dba23943534b400419f98547051a8a0be5ef4f5a280f2a56977f495fc5bb94dcf611cf97f6760e98c2539289bbaf9ee4b4d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ecf8c9e4993bce539fcbceeb9764eaec
SHA11eacab87caced20ff62cd2f7a5e2b8c3c105f5ff
SHA256e777035150fd4cf4286527e47e6190603360f3f762c55c77f1f04fe35be54701
SHA51222e5970669ac010e59d2240a2343ef258238a3c6da0c1a1c8cf8c0464fd366111fe191f86cec4945c65bd528768ec18305fd61f26cfdffecba6012b6b744413b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5606d0754145109ad58af64bec3abecdf
SHA19bb1b97a457554f0cb7213da2c9efc8431600827
SHA256ae91e7b3ee56439a1677a3f444af28270c7aef3b722fed25674159978ad9a63b
SHA512e04705c6e829b04839e322078a3ffa9675e05cef1c22f63cbe527ff3f425fe357831af9aa307838dc7b3b94757b0c64b0f45b5a9f3a040e6c9a2a0b44dc15fc4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52be24ed33c0b203e6c7d6bc5353ff86d
SHA1771ccdbc4ac988a145c76037a501b0f7ee9e4b34
SHA25625f853701a7dd027c7bd4fd729f2780cb64c0b7d2c27ce1f026e19a2ef689dac
SHA5123f6a4dd2c35e4dade6664b5acde3d0da2a485fe9aa4f894300a9bec16ae4ae9fad937ad5a3f244c8efd35e334fdd92489184619fd42edd99c7e7b23e6993ab53
-
Filesize
236B
MD5fb5efb7badf2bce1128ef4c6c5eab069
SHA1738c8d1dea7e446c78d747274f5c49ed3afa0840
SHA256034d70e62429dad85f204d37f54fe7cdedc6e05c445619f2c5b53fce0bc0b234
SHA512c32704982a0f7e8ba5fa141fca5eaf2de42bcd102696d6ae3a09dff5dc24f5190d81dec3345ef7488066b5feca9df6c0f1387c2dfdd88ddfbd56d26b664ad29d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
236B
MD541c10e2b6111d695dfaa6ec32eb66a5b
SHA1e8bcd586257d4954f10ea4c7f2ccd76c6fd81d29
SHA25634665357fbccfaac8beaf4ad828768a37a707fdb29106dacfc10c1921ba3fba6
SHA51250c7d75c60b709fee7693a170117cdb7f4b1db4bca99dce1bb8041d4459c63f8304fbb9e106f8a6cebc569fc7c852cbbea3e4514efa8ae45fa0e0b630d799ed6
-
Filesize
236B
MD5e0a27235d60c162f85e1e09be7c5bb98
SHA15da8dd740632e5b1314aae65432c5ff1b419af8a
SHA2561c48a792496b30e9f991e1b3199aa41cfbd159069bcc9a108344ff553baca6e4
SHA512da29866db9c38b4d7cb93b9997c0b5766fa53b313f19fb33e560bba73ce0dda6ee3b3b61ed55c17304e960d78ae604646ed10d4422eae1600a49e72923bb3e2c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
236B
MD5013bd85b0d10d49f712abc0e742bb912
SHA1592186790e54e562682c2faea45b753a6c72af2d
SHA2562f5ffc5483ba8dc94bcc602b93d4f81534c54622851f9871ce58cc901d4ae3ee
SHA512b81312e15139a41663d528845a2bf78d3051856d17ba9da70977edb61085715cb5465db82e525c3e7a52b67204fa32eaf0caeb38f0d745fead95ceba719ebdf5
-
Filesize
236B
MD51b69700041b9ae404b5ceb5e240951ac
SHA14930584a235c6e4a52e5ff13d4627e3d88581c88
SHA256fefbe4591f6f17240dcde4177df327cc240a014a907861adcadccdf71b8dee65
SHA512fde8ffdcdc66eed6d09d209b836108b25da045bfd0451244e0b162393c8ced7e928ad93a599dbf2c9ec148f839252d3e07c4955dc4521d8fe718a704a6e62db4
-
Filesize
236B
MD5a2eb828b9c3010a9355a07026e3d2535
SHA198932f34525b0158e165a82a78ae73302b626920
SHA256e06a973db4ac11f74b052619492ad3fb5a6eccb45c89846e33909ef02ca1de5b
SHA512c3a9df54ced2c44783793bb952b8936561b02bc2cfb7202fae251c99b5764e379918447a485c5021c67ba635265639b1c0f587bb13c2722db1140c794c25d31b
-
Filesize
236B
MD55685996d6975800a0e0eb3465d31069d
SHA16b7e569088060f3f1cb78a17600674c6adb52efd
SHA2561351f187dc2e7c2fecf6b7e0e0fdcc15af089f91ef98b926bf3985ea6aebdf99
SHA512523cabcc59147c6b0dfea16af250ba18a484772e172c4001de6eeee364573c2a66725f5037cbebc219b018712be2cc04a5233d83f6ed7a3da0ae96a83aaf0d97
-
Filesize
236B
MD5ce68c1d669c8ad8fc8107bd3584b74d2
SHA15ee5a0bd991a2be186b497b65add413983b5af2d
SHA256013e6a99b60e06b3bb2e14f81edd6dd692095b6731379db5e4895c201eaa4b76
SHA51249145ca327af30a818ec5c998406f74b6f162bffd399b36591378d78199c7b6b8fbbc1b4244bd88c375a95b24c3bfa2709b6140196b41cc369569e497439036f
-
Filesize
236B
MD556c050da2625f170c610389281abaaac
SHA1ae3a6cec9d6586e9390e1c22b070d27f5afa43e8
SHA256571a42e952ed49387ef0f0d53f6b9f74f934f339be73563195c24c58b51ac208
SHA512a90b9792f01688fe7f1d34dbc659cdf723fbcd6706965540f79d8c49b709c55e4e2840d02a6862fd2d432d526d95f835b40855f196bb08f3ebcd7b375fdb29fa
-
Filesize
236B
MD5075d743faf9bdd0cd3c73522c962f577
SHA1877bce327a96d9f4246e97ee54280432f9d59a2e
SHA256096b6ad7489dda4ebd8de163f99956461b948c8ab881fbc0fcdeb53d92c7e948
SHA512e0be8e2bb472a3c9ee82429ae28cad3e7dd12e4285d4dccc7254496b74c99b7d2c4e96b2adc78582243e4b5006110621e1e997fe2d5d374bf55e22b83a3fa3d4
-
Filesize
236B
MD521ebf18637eefc23201cd310c41016d5
SHA18a412516a7df7a5c1e1fe32334e890bb4735605e
SHA2560a3d6be5aae4c029cc912c5175773871468d32681dad3d5610c7f21e4826d730
SHA5124a179b22fbedfb4fa5462e10d43dcdbcfa2b7083f0b0550de41e07d06a8a0f7dd06b97a3df25292d744e47ed72c8e9343c8f98f7ad7737f3aa8d0669af0dbd57
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51ef9b9c75b430f7115846e42b51ad20c
SHA17a03149720a07cb5e6cc574f992db4f57f162ff1
SHA25654e8934a8c686e437d247aa27f8b6ef9139d6347387b3f227c0283a0e90256d1
SHA512f074c3e821233e8de2bcb0fceb22ceb6bcfbcf3da653d10d2d4dcc97319263ecbd5f00acdf7d3a79008ef7ef926f66c9883e0657939ef34ca01129461f24e6cc
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478