Analysis
-
max time kernel
144s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 01:17
Behavioral task
behavioral1
Sample
JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe
-
Size
1.3MB
-
MD5
5cf1d961618842419c2236ceee53a248
-
SHA1
358b2edbc9d688ae9168144708e3961f7bbed3e1
-
SHA256
23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8
-
SHA512
6bf977f6a0ab9f442c6e0e5edf8aebb5a55a89814cc506d434214b7e6fe48456d090b081c065c5cb76f2cfcf42a3d8339daef96b1a408832531f1bbcf65a6c08
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2884 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2884 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2884 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2884 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2884 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2884 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016dbe-9.dat dcrat behavioral1/memory/796-13-0x0000000000AA0000-0x0000000000BB0000-memory.dmp dcrat behavioral1/memory/1712-28-0x0000000000C50000-0x0000000000D60000-memory.dmp dcrat behavioral1/memory/2052-103-0x0000000001000000-0x0000000001110000-memory.dmp dcrat behavioral1/memory/2588-282-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/2624-401-0x0000000000200000-0x0000000000310000-memory.dmp dcrat behavioral1/memory/2280-461-0x0000000001360000-0x0000000001470000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 876 powershell.exe 2496 powershell.exe 2380 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 796 DllCommonsvc.exe 1712 WmiPrvSE.exe 2052 WmiPrvSE.exe 2780 WmiPrvSE.exe 1688 WmiPrvSE.exe 2588 WmiPrvSE.exe 2512 WmiPrvSE.exe 2624 WmiPrvSE.exe 2280 WmiPrvSE.exe 1784 WmiPrvSE.exe 1512 WmiPrvSE.exe 1908 WmiPrvSE.exe 2312 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2192 cmd.exe 2192 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com 36 raw.githubusercontent.com 5 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 40 raw.githubusercontent.com -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\inf\conhost.exe DllCommonsvc.exe File opened for modification C:\Windows\inf\conhost.exe DllCommonsvc.exe File created C:\Windows\inf\088424020bedd6 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2932 schtasks.exe 2800 schtasks.exe 2628 schtasks.exe 2656 schtasks.exe 2128 schtasks.exe 2660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 796 DllCommonsvc.exe 876 powershell.exe 2496 powershell.exe 2380 powershell.exe 1712 WmiPrvSE.exe 2052 WmiPrvSE.exe 2780 WmiPrvSE.exe 1688 WmiPrvSE.exe 2588 WmiPrvSE.exe 2512 WmiPrvSE.exe 2624 WmiPrvSE.exe 2280 WmiPrvSE.exe 1784 WmiPrvSE.exe 1512 WmiPrvSE.exe 1908 WmiPrvSE.exe 2312 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 796 DllCommonsvc.exe Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 1712 WmiPrvSE.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2052 WmiPrvSE.exe Token: SeDebugPrivilege 2780 WmiPrvSE.exe Token: SeDebugPrivilege 1688 WmiPrvSE.exe Token: SeDebugPrivilege 2588 WmiPrvSE.exe Token: SeDebugPrivilege 2512 WmiPrvSE.exe Token: SeDebugPrivilege 2624 WmiPrvSE.exe Token: SeDebugPrivilege 2280 WmiPrvSE.exe Token: SeDebugPrivilege 1784 WmiPrvSE.exe Token: SeDebugPrivilege 1512 WmiPrvSE.exe Token: SeDebugPrivilege 1908 WmiPrvSE.exe Token: SeDebugPrivilege 2312 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2180 2160 JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe 30 PID 2160 wrote to memory of 2180 2160 JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe 30 PID 2160 wrote to memory of 2180 2160 JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe 30 PID 2160 wrote to memory of 2180 2160 JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe 30 PID 2180 wrote to memory of 2192 2180 WScript.exe 31 PID 2180 wrote to memory of 2192 2180 WScript.exe 31 PID 2180 wrote to memory of 2192 2180 WScript.exe 31 PID 2180 wrote to memory of 2192 2180 WScript.exe 31 PID 2192 wrote to memory of 796 2192 cmd.exe 33 PID 2192 wrote to memory of 796 2192 cmd.exe 33 PID 2192 wrote to memory of 796 2192 cmd.exe 33 PID 2192 wrote to memory of 796 2192 cmd.exe 33 PID 796 wrote to memory of 876 796 DllCommonsvc.exe 41 PID 796 wrote to memory of 876 796 DllCommonsvc.exe 41 PID 796 wrote to memory of 876 796 DllCommonsvc.exe 41 PID 796 wrote to memory of 2496 796 DllCommonsvc.exe 42 PID 796 wrote to memory of 2496 796 DllCommonsvc.exe 42 PID 796 wrote to memory of 2496 796 DllCommonsvc.exe 42 PID 796 wrote to memory of 2380 796 DllCommonsvc.exe 43 PID 796 wrote to memory of 2380 796 DllCommonsvc.exe 43 PID 796 wrote to memory of 2380 796 DllCommonsvc.exe 43 PID 796 wrote to memory of 1712 796 DllCommonsvc.exe 47 PID 796 wrote to memory of 1712 796 DllCommonsvc.exe 47 PID 796 wrote to memory of 1712 796 DllCommonsvc.exe 47 PID 1712 wrote to memory of 936 1712 WmiPrvSE.exe 49 PID 1712 wrote to memory of 936 1712 WmiPrvSE.exe 49 PID 1712 wrote to memory of 936 1712 WmiPrvSE.exe 49 PID 936 wrote to memory of 848 936 cmd.exe 51 PID 936 wrote to memory of 848 936 cmd.exe 51 PID 936 wrote to memory of 848 936 cmd.exe 51 PID 936 wrote to memory of 2052 936 cmd.exe 52 PID 936 wrote to memory of 2052 936 cmd.exe 52 PID 936 wrote to memory of 2052 936 cmd.exe 52 PID 2052 wrote to memory of 2936 2052 WmiPrvSE.exe 53 PID 2052 wrote to memory of 2936 2052 WmiPrvSE.exe 53 PID 2052 wrote to memory of 2936 2052 WmiPrvSE.exe 53 PID 2936 wrote to memory of 2180 2936 cmd.exe 55 PID 2936 wrote to memory of 2180 2936 cmd.exe 55 PID 2936 wrote to memory of 2180 2936 cmd.exe 55 PID 2936 wrote to memory of 2780 2936 cmd.exe 56 PID 2936 wrote to memory of 2780 2936 cmd.exe 56 PID 2936 wrote to memory of 2780 2936 cmd.exe 56 PID 2780 wrote to memory of 1880 2780 WmiPrvSE.exe 57 PID 2780 wrote to memory of 1880 2780 WmiPrvSE.exe 57 PID 2780 wrote to memory of 1880 2780 WmiPrvSE.exe 57 PID 1880 wrote to memory of 2676 1880 cmd.exe 59 PID 1880 wrote to memory of 2676 1880 cmd.exe 59 PID 1880 wrote to memory of 2676 1880 cmd.exe 59 PID 1880 wrote to memory of 1688 1880 cmd.exe 60 PID 1880 wrote to memory of 1688 1880 cmd.exe 60 PID 1880 wrote to memory of 1688 1880 cmd.exe 60 PID 1688 wrote to memory of 1936 1688 WmiPrvSE.exe 61 PID 1688 wrote to memory of 1936 1688 WmiPrvSE.exe 61 PID 1688 wrote to memory of 1936 1688 WmiPrvSE.exe 61 PID 1936 wrote to memory of 276 1936 cmd.exe 63 PID 1936 wrote to memory of 276 1936 cmd.exe 63 PID 1936 wrote to memory of 276 1936 cmd.exe 63 PID 1936 wrote to memory of 2588 1936 cmd.exe 64 PID 1936 wrote to memory of 2588 1936 cmd.exe 64 PID 1936 wrote to memory of 2588 1936 cmd.exe 64 PID 2588 wrote to memory of 1584 2588 WmiPrvSE.exe 65 PID 2588 wrote to memory of 1584 2588 WmiPrvSE.exe 65 PID 2588 wrote to memory of 1584 2588 WmiPrvSE.exe 65 PID 1584 wrote to memory of 1628 1584 cmd.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:848
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2180
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2676
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:276
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1628
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"16⤵PID:1696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1144
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"18⤵PID:1392
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:968
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BGyPdaK1JU.bat"20⤵PID:1576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:3000
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat"22⤵PID:2792
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2620
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"24⤵PID:2224
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1316
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2pbp0wsTa1.bat"26⤵PID:1048
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1524
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\inf\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57742d62dbbd47d0312fdfc8c6c0af1f5
SHA1d6b76f78db4c68db4dfb5bffcbdad9da2d6825d3
SHA256959b175295602d9d14b71d800bebc6ea7e313a4f25c016589b6c6fb5025ef58d
SHA51238b9960e57a09f0486d1ba5dce74c2c900fca499e026ac263a7767abc4efc8ba95cc0ac46ecc8e7a65f92dfdc89babf12fa1c390cbe9b3f8ba3c782ad7519e69
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8d0310138ab96c48e661ce0ca382858
SHA1922ea3f087c9e5be67aacf7651b971ea66c6dd1f
SHA25685b8fe1c39a25991fba4c6e411e4c67fc538ceb764d55f4c1a0a52681cb18938
SHA512a8b2d747ef852222b9bc9b0901d0e10858a39a77b8d90fe4f43fab2b0a01e38734aa1621209503e5e432f2790b468eba03529d5a61a5e512d3d2e77b2d041946
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd1aed925b1bdcd13ba27f81f58712e9
SHA10e737b0c21b6d5b01ecd7c61f8eec77d9470ce01
SHA256ae98a3ce6f64f461a4afb58180e1a13227fc0048f6542fbbd2a4072284e917cf
SHA512e8732cc9b05df028c793f36b1090af6e1d442daee4573ffe08e0d23c5aa7660e081d2c600238a8b8b260b5cd2b1c139907e7ad71b90af9bb110c0b0197eab8f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD500e9d87035d7991c036a6b0af50b3c90
SHA1c6d53ed23bdbb2e7e9e79687d816f17cc5231504
SHA256e8dd625c4c739783f7d5b7d9a0348814e156222242708ea0cdb9eaf1c8a6d139
SHA51298bc0dbf58a7b344b847e68011e74bc4be75be3610af9a656571acc2af493ea8937cea6bb6d572f94cc5da8c68ba7b0f36f8d0d6480a86cbcc9eb5a36ac637f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b1c6eb1926fdfe35b890d0f1e01ace5a
SHA1c639befc07664f4666aabb9d4122c0edd4f02b55
SHA2561e2ed6f389189e1ad5d5c8a1deef774158fd10c5c61ae904332ceab527f140b6
SHA5121e2b3ba8009995e9d5f3f6f04f0338be53bb651f5096a2f00276fb8786db6ff1a7ff091f3dbb60be84be34032a7cc85b6c9bb5d4d1bd9177b182b6eee3dac41b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5838b644bd209b4c3ec8491838e486400
SHA1bda31ae2b3b02372522cbcd8e5f15d960d379a96
SHA256a8be01d17e611b44b92c1f49d63129852ab748e784b2e582d5e9475db049733b
SHA512349853081542ff950f776d499b4dfb96c0243ed2d2f804964f5efc2b56c6a1a673e3782f050f1ee5f8b5cb96ecf72a0605b25a651b4d629a3af5bedaa970d8ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5271acfcd80f006a69a247c18bfd10eb5
SHA1533c60b44f700a520b46cd06def921e10c4b8339
SHA2562e3e83390da6ee0e35cea25fa455bf9d3c9d5b839a2043bbcf445e4b6d74c4d1
SHA512b5bd5f000ef8d670262c8a847f52aa946440dd3a8a31ce411e7ee01ec3a32d375f4830e8dc79c886de2a1b7fa5ea45ad53132239273ec88c8901a36b792ad506
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD579d50b005adf9f6f22eb9aad3a149139
SHA1a5610acc52b5fa9ccabb6ab65d67539f155fc8bb
SHA256fe655e0a0c67726fac0483334d00151169b026b6949b90def5d8db8acb0a46da
SHA512373b48ccd29ada3e9ebdd29e5b2ac6f08ae8c9958a7fc8dfefe38179dbf4361e71987cae9df18869cd2b8c38e79b8c774c44e8826be0436daca817c7d3c969af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de4a7a053d27aba48552555bec57509c
SHA1b168f8ace5a61bcacc9e7ea56dbfe62101bd3c43
SHA25623c0006da7f446d2fc91393b849125b8f332fd5fac9fbb50d11565eff3faf91f
SHA512e425de005dd7c0c0593964535c64a46a1b45cb9572c999ba69908ca27f035119ba4269f294bc0d5af73480f2241a95829ed13097c34d494baa9fe052ac69d0ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54aec7dce159ee34ddf322d6f61f97de2
SHA1498abb2ec2ffec5a47a24190b7206eb0bf21c704
SHA256b209537d69fd9b3ba8da7fa95e7c1201bf907adccaaea73a1b2a36923acb3e02
SHA5122f6c830ec05f978e65ca376e71c36123de6f80085316125933fa9e194f799e74b9fe71fa266ce790baacb7ebaaab404e1e0e79a8f9f4837710411b93e510555c
-
Filesize
195B
MD5513ead2c124d7062058a35e73ddd3408
SHA184aa76c78e21d58974ca45267924e71f04e71d61
SHA2563940c267bc7a59dec57c0089a1c806248b8235c2555b46f5ed7ca920226e9a4a
SHA51269b165b22d18ec5eb0f06343b1578f183d9c1dcc591665f02fb5f2f5e50c6e72a840cc06fef33bc0486462b221fb2eb4509d224519135ba5471f175ede821828
-
Filesize
195B
MD52ec53f82195b869579426f0d53a61eff
SHA10b728104fdf923c92ab8daa1ac8785e0fe2788cb
SHA256a527a9ba7b1c003a54a5a47a74cb578cf300e3ea238324f28f6b62f49bce4cd1
SHA512f70145798f5bc0d3b6cb88b53571d93308d9a35adfa5aceaf53da1a46e8f39390792248ef25f477b30aa2b8087162222044241171e643a36dd890d89a3d8b9b9
-
Filesize
195B
MD58f83d2e091938b2280d1f78635c46c89
SHA15a390b2cf21d3f8b845cef9d721a2356751e4185
SHA256251a81c28837b39a722caea70d4ebd5edc595054c1f48c309abde21551385a29
SHA512cfd64f0d78acd44b5163647d2f88ba5ef5c374d950931cb8d8f0c2dde1483fb17bde4f075f3ba90c30b11df4a61b87dc743009e415adbe80ebf84c427f0d58bf
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD59a45d8e10c1a8f139ef91b94fb86f9c3
SHA1f405694055e7a1f640e76d8895cb50b68418c39b
SHA256cb4f318966c8476e9b3e6468229c8cfa1493a5041cd83f3f4e4c391da11cb6ea
SHA512181bae3896a0309ad8293fb3c259afc0a1d8f606a615f403a2b1aee2e90cec636096613bf1bc744cdb791e1be23b15694c77fcc4a0deffd275d9887b413227f8
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD5e30ab90bc75d251b4492eee92bba8ed8
SHA1dec694ccd2d1b6c3b7b171d9cadd6575fd3840df
SHA2567258a0a9b5d745fe137a6713a82a4edfe774ddbec4164d02cc7af2889d7b8b19
SHA512e6c4d78e05adf7753e5a38313c7657294b96cda32cdf89c0563a61104d5cbc34af55e18b0b6f0d2175ff295c8b3a4722fa597899118c5622e8c8f361a2921e03
-
Filesize
195B
MD52f75047a07b2823dc5729b57860776d8
SHA1c5df22eba67b7f667dcf6eb84967a015b6244cfb
SHA256863478821db07c348fd9dcc1bfc0e5bcaba829c84e403c6fec7b2be406225f13
SHA512300f834c66c8b36f9cd0d677729385dda3cf588a78a7242f6bb94242622c9db793d3be897fc30be4e3556b99c7aeb7052eba5347107df93828ce6c0f18251fa6
-
Filesize
195B
MD5e40b44be3db275e7b7c82cd4009b3661
SHA1e056850d1585594269acefe870ad7823ba7e382c
SHA256d075a603de834c084a2ca7298958e098a6d3be1b043192b45c1b29a4a5e87463
SHA5126ec5bfc5b45cd7fe93b105da5e3a0b9eb7fb627bc2572fb536a3d3f7a65257acf618d660a147160b9aba195930d7c4f24def673a0a7d5de9e3b7e02d23557d8b
-
Filesize
195B
MD520856b8800f4277b53aad7c4465de1bc
SHA1e5b484e83f93610469a99f8eeca3a83efc4ed644
SHA256d9cdee5e2f4e13af1e2691315aab45e150045a251d77a978d413d4317e551c89
SHA5128865d1472b857c5b0f625fa2df8f22c217b2eeebf32c011ad5774fb9d102f7144fc6259eec6915ada4b295147c209167e477ea5074e1d3823376fd6d129284d0
-
Filesize
195B
MD5d734038cd184358853ac4ab85f16dc64
SHA112661558154dc9ff6e81b3462372612e2cb35218
SHA25649600e7d9fdcd28af4efc06a219b5bb92021275f17c85006209367b4a657bd9a
SHA512c3dec6f3e9fc8a4a69d3d3d23dec9a81f4bb494d109e18b6df917ab142251aa4165a9e7e5c34b4b490df10ff133ba9b49559062294e3450e666c149d444ee968
-
Filesize
195B
MD5d894a875d6dda64d3d22d65f93b6214a
SHA16b3b1cf7e4058b740d1fb08f42fd3984923bcb29
SHA25614d02d0520c65326826d7a55f072782e8bf8362045787376b355d49e70c59eda
SHA512e372c21f49577baee85efdd9797b7fc52050b16a2b5b9dd39108dd5b3355cfe6dd97bc0dc65f1687c6542ab6186979209705d9fdf8023e4e49b250da5c5c266d
-
Filesize
195B
MD5aeb447052714fcb77fbc564fa5ecb15a
SHA1583346e6f0577d5308034dcae23bba244c31c806
SHA2567ff41b7a6ddff38e4e9ad2de56acdd2a9d9a7d21a0c04c5da55397489228b9ea
SHA512954b4b21f98bb1e3f80a21e91d98c6f95bdf64b9ab56f5dbbc82e76fc5c8fbf63ce0d5a2ddff4ae3b05d2879dd1cf267708287924c2f18e419e12b9fcb9410b6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a289089e0c55323f78994fa40bc33426
SHA10e4a24b200290551ce28b7437b85adc95e7ffbc3
SHA2563f836dad83b515d0077d895ec1c92d70639638b7fb43f64829ed7085bf9dbaa2
SHA51211363c2ad4d2a9ff2f9822cd126a833d0590f9a2db12c9bec58c3e55d4b4c1fdcac263e6201b85d53e6a6433aa1fb7aa3adf9e90228aaa9e20b42e2551319366
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394