Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 02:23
Behavioral task
behavioral1
Sample
JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe
-
Size
1.3MB
-
MD5
eac7aabe3275c27dd1d139d9ee9bd879
-
SHA1
bc6f2466ca6c9d1b80a47d047f1bc881fe9553ca
-
SHA256
bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069
-
SHA512
0ec074e5d3d346bb7ace25c1370d1237521eff6d748ba11b8be8ac14abc123713a3bcf77f56dd38c72ed29150077ef355f096aca258ed4cad11a1f77c131192a
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2796 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2796 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2796 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2796 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2796 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2796 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2796 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2796 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 2796 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016c89-9.dat dcrat behavioral1/memory/2812-13-0x0000000000A50000-0x0000000000B60000-memory.dmp dcrat behavioral1/memory/1684-47-0x0000000000840000-0x0000000000950000-memory.dmp dcrat behavioral1/memory/748-107-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/1928-167-0x0000000000C30000-0x0000000000D40000-memory.dmp dcrat behavioral1/memory/1264-227-0x0000000000EC0000-0x0000000000FD0000-memory.dmp dcrat behavioral1/memory/2072-346-0x0000000001380000-0x0000000001490000-memory.dmp dcrat behavioral1/memory/2640-406-0x0000000000210000-0x0000000000320000-memory.dmp dcrat behavioral1/memory/1720-466-0x00000000012F0000-0x0000000001400000-memory.dmp dcrat behavioral1/memory/1324-585-0x00000000013E0000-0x00000000014F0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2472 powershell.exe 1832 powershell.exe 1304 powershell.exe 2432 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2812 DllCommonsvc.exe 1684 lsm.exe 748 lsm.exe 1928 lsm.exe 1264 lsm.exe 2136 lsm.exe 2072 lsm.exe 2640 lsm.exe 1720 lsm.exe 2404 lsm.exe 1324 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2744 cmd.exe 2744 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 16 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 30 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 20 raw.githubusercontent.com 33 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2700 schtasks.exe 2828 schtasks.exe 2496 schtasks.exe 1680 schtasks.exe 2776 schtasks.exe 2660 schtasks.exe 1772 schtasks.exe 1972 schtasks.exe 892 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2812 DllCommonsvc.exe 2432 powershell.exe 1832 powershell.exe 1304 powershell.exe 2472 powershell.exe 1684 lsm.exe 748 lsm.exe 1928 lsm.exe 1264 lsm.exe 2136 lsm.exe 2072 lsm.exe 2640 lsm.exe 1720 lsm.exe 2404 lsm.exe 1324 lsm.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2812 DllCommonsvc.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 1684 lsm.exe Token: SeDebugPrivilege 748 lsm.exe Token: SeDebugPrivilege 1928 lsm.exe Token: SeDebugPrivilege 1264 lsm.exe Token: SeDebugPrivilege 2136 lsm.exe Token: SeDebugPrivilege 2072 lsm.exe Token: SeDebugPrivilege 2640 lsm.exe Token: SeDebugPrivilege 1720 lsm.exe Token: SeDebugPrivilege 2404 lsm.exe Token: SeDebugPrivilege 1324 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2920 2504 JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe 30 PID 2504 wrote to memory of 2920 2504 JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe 30 PID 2504 wrote to memory of 2920 2504 JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe 30 PID 2504 wrote to memory of 2920 2504 JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe 30 PID 2920 wrote to memory of 2744 2920 WScript.exe 31 PID 2920 wrote to memory of 2744 2920 WScript.exe 31 PID 2920 wrote to memory of 2744 2920 WScript.exe 31 PID 2920 wrote to memory of 2744 2920 WScript.exe 31 PID 2744 wrote to memory of 2812 2744 cmd.exe 33 PID 2744 wrote to memory of 2812 2744 cmd.exe 33 PID 2744 wrote to memory of 2812 2744 cmd.exe 33 PID 2744 wrote to memory of 2812 2744 cmd.exe 33 PID 2812 wrote to memory of 2472 2812 DllCommonsvc.exe 44 PID 2812 wrote to memory of 2472 2812 DllCommonsvc.exe 44 PID 2812 wrote to memory of 2472 2812 DllCommonsvc.exe 44 PID 2812 wrote to memory of 1832 2812 DllCommonsvc.exe 45 PID 2812 wrote to memory of 1832 2812 DllCommonsvc.exe 45 PID 2812 wrote to memory of 1832 2812 DllCommonsvc.exe 45 PID 2812 wrote to memory of 2432 2812 DllCommonsvc.exe 46 PID 2812 wrote to memory of 2432 2812 DllCommonsvc.exe 46 PID 2812 wrote to memory of 2432 2812 DllCommonsvc.exe 46 PID 2812 wrote to memory of 1304 2812 DllCommonsvc.exe 47 PID 2812 wrote to memory of 1304 2812 DllCommonsvc.exe 47 PID 2812 wrote to memory of 1304 2812 DllCommonsvc.exe 47 PID 2812 wrote to memory of 1684 2812 DllCommonsvc.exe 52 PID 2812 wrote to memory of 1684 2812 DllCommonsvc.exe 52 PID 2812 wrote to memory of 1684 2812 DllCommonsvc.exe 52 PID 1684 wrote to memory of 2568 1684 lsm.exe 54 PID 1684 wrote to memory of 2568 1684 lsm.exe 54 PID 1684 wrote to memory of 2568 1684 lsm.exe 54 PID 2568 wrote to memory of 1244 2568 cmd.exe 56 PID 2568 wrote to memory of 1244 2568 cmd.exe 56 PID 2568 wrote to memory of 1244 2568 cmd.exe 56 PID 2568 wrote to memory of 748 2568 cmd.exe 57 PID 2568 wrote to memory of 748 2568 cmd.exe 57 PID 2568 wrote to memory of 748 2568 cmd.exe 57 PID 748 wrote to memory of 3060 748 lsm.exe 58 PID 748 wrote to memory of 3060 748 lsm.exe 58 PID 748 wrote to memory of 3060 748 lsm.exe 58 PID 3060 wrote to memory of 2656 3060 cmd.exe 60 PID 3060 wrote to memory of 2656 3060 cmd.exe 60 PID 3060 wrote to memory of 2656 3060 cmd.exe 60 PID 3060 wrote to memory of 1928 3060 cmd.exe 61 PID 3060 wrote to memory of 1928 3060 cmd.exe 61 PID 3060 wrote to memory of 1928 3060 cmd.exe 61 PID 1928 wrote to memory of 1512 1928 lsm.exe 62 PID 1928 wrote to memory of 1512 1928 lsm.exe 62 PID 1928 wrote to memory of 1512 1928 lsm.exe 62 PID 1512 wrote to memory of 1604 1512 cmd.exe 64 PID 1512 wrote to memory of 1604 1512 cmd.exe 64 PID 1512 wrote to memory of 1604 1512 cmd.exe 64 PID 1512 wrote to memory of 1264 1512 cmd.exe 65 PID 1512 wrote to memory of 1264 1512 cmd.exe 65 PID 1512 wrote to memory of 1264 1512 cmd.exe 65 PID 1264 wrote to memory of 440 1264 lsm.exe 66 PID 1264 wrote to memory of 440 1264 lsm.exe 66 PID 1264 wrote to memory of 440 1264 lsm.exe 66 PID 440 wrote to memory of 2132 440 cmd.exe 68 PID 440 wrote to memory of 2132 440 cmd.exe 68 PID 440 wrote to memory of 2132 440 cmd.exe 68 PID 440 wrote to memory of 2136 440 cmd.exe 69 PID 440 wrote to memory of 2136 440 cmd.exe 69 PID 440 wrote to memory of 2136 440 cmd.exe 69 PID 2136 wrote to memory of 2612 2136 lsm.exe 70 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1244
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2656
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1604
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2132
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"14⤵PID:2612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2528
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"16⤵PID:1036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1240
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"18⤵PID:1540
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1692
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"20⤵PID:2684
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2388
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"22⤵PID:2736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2224
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53699d8be7181a47f38614d11ec0eb754
SHA1080e75b00c7bb7fd5070e136aec87cecccd854a5
SHA256561fc94862681e6be86e0132fdc8c469ea6db33b2413e3831b63007837a041be
SHA5128c4c651f24093b32bdebec40c9fdb04196b8380cf7597873f7a948f3add79bb327d7771137592cbb643d21136b9181848baeb02a2a880d07c19e7191558dc498
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52027fe8a7342e0494b60e326f90f0767
SHA10d7a2f68a9cbe7c09b2b83672ca65f11ff95b836
SHA256fcfae936e4d1e528959202652c9e855e5e45921cdbd286856c0f5db9d5bca588
SHA5123ef04d37e2eee6b8f9b9517940d557853a23bc886d5e6041fa13cb6febb7908cd068e8483b469025220d69991f7cb344caead62160341316be23011a67b8f990
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c01a00f4d464f1969e8cdb29ae72f2a5
SHA1618d0bba608bc9e2b91dd0e489d865b3c6c3a18a
SHA256763e93d98e987bbec1d65d0f746b32e80259c7fccd95066afbaf52d8cda6f96d
SHA512333ce9a16289994067f2d9675dd2da6b2da844e1c78f1380728aabdd703dba4cbd7b59d8a4b3da93f6ee9ed70396b84bdfdc37ac6e83f71e032af4be935f74f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5705f6d2916f1fe84842ed21b5d2268e9
SHA19f9a47516cc8329226c760677f330bfea2bdb4e2
SHA2567a77703b5a0c16dc3e58fc99db730210c1f47cbad2db83a81a5d460d4d40f442
SHA5129b227cc164e0fc1d8b3f2a412d75ab1a5d911c9a01a3fe4f2395f2fda544249ac52b91870a076e06718d75f5f6d4fb7cdc8fc35dcb73dd51b02eef4a50835dad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2db61d0110875c4fc839523e8efc87d
SHA17aa38bd4d3239fa0a936c66974c9d19470c9e931
SHA256fcd79f15425dd6ef9a52f1c100b19996be90e0c89d0e8b9701d544ce34d6d4a8
SHA512d0f8d34a5c8d996c18a447f2fd90c7d884a7a14e221aac244d0982f26cfea242bb424317a314b8ebda85fafa194852d044f52a295aa947ac80240e74aeaf6570
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD530a3ca7ddde96439fae3bba0743988dc
SHA114a5719f2bdfd99f239922376967da05a701c492
SHA25684e4e654230a4a4ce0b983657e151808ef3499a0e142eeb114dd0f6a4b04f794
SHA512a40ae04342ee50461e8655d3d86182ecfd6048c21951af1ff1b5cc18b0ded58c977aa4de08cef950dd07f9de1e8dc67787163f147ec1870373ea1968a7e2bec4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD532f24adac84618c3d1556c3dead507ff
SHA1d66ae9b9a76720d79ec9fcf3e38100ade97aa108
SHA256df7064ef0a2fa9ee79fbb2b36f8bf512f651797a2987d0b002d2335777f09832
SHA512cd530406952df8db08a989e3b08ce0d54c127dd840bf613c68d372e345980a873bcd008bb050704240a9a7aebc371f338210958203e69f42534cd4aee852b89c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a34c3f7d360d4eff2108bd687c368253
SHA19f6555580a590005414cf62a0e11b8fb2eaf31bb
SHA2568685054f1eed0db2694c65987eb4425d6410627b6db5147947bd259e8996d4b5
SHA512a7b03d68b6229e10ceb72ac175df5a597e152deb76225d0ae3068e26ef7528c7499f103d38968275ce0a388dc12c76cf07b08ebc48b4114281c5226141479522
-
Filesize
235B
MD5572f5b34a6c93e02253262fb73922fc8
SHA1afba3486d12a5f47e05c6ac1bb3a855b5fc20940
SHA256847268b75d28235327e559c8f62510a42a3c5ed59766a9eaaea902c8e8813ab5
SHA51251058d7cf8ddf137456059befbf2de0afba190b5a4d97a421e72e003eb7f5ddd6784d708af66ea613e456de9fc3dfeb4e5c5b01b6a94865672743a1dad4f635a
-
Filesize
235B
MD50b59c1c5bd33e784f783d5773ba27702
SHA18d96860e37eb1e2411520b822cafa39b4c8d53a4
SHA2569ba6395eb3f1795193c9554671b3e1662db21cf599f4a0b403e2932d91780bf3
SHA512249aa1cd2edfc2b1a6f1046f1fe94b6774930d0984a850fdcae070b7d0da5661dba9482f9c29d408e1e428771abc72cc20a2b53e02cd92acfae4f27b2b51263e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
235B
MD5f4d9d146d00ee0b7b9f7edf94a360f94
SHA12bb038637f8abca3714b9b0f335dbbbe84c5a8f5
SHA256c4fe1772edeacf2f35809718e5d135d647a590d0cd66bc83aae51a7366ef2542
SHA5124721f2f51d6f2c1598b7ca73366249ecb9e741cafbd5e9a121e939ab6ede2281f54c863f5f93e2065e6a89945dabf63e5192a4e871b3375c4772bdcd62ef007d
-
Filesize
235B
MD568c3534030657c0d2657ee02dec4c4c2
SHA1f28925ce7ca4cb95fd8e6c2d32e65cd70eb7f34e
SHA2560b01e20800d361111004e8e8cfe2347ccfe4ce81c25894d7558c2c291b143ae2
SHA512e018cc5a8466cd1060f1ad8efce720ec2b549769badd8ab474ef3c6bd23e74f677d575f74f608932cb4825803898b3671fa3909716e1bbdb7b08d9e6573f1bd4
-
Filesize
235B
MD53f3bc42b65c8faeaef7cb948162bca38
SHA15ef29fdc1c7959b97fb21931e6b495f4083c3314
SHA25600bbff93de56eed7bbfac963590a8030f8f30949ab60ee3f2f071ab9546fef9f
SHA51273ca7129624d8048893825e57fee6de8786762d9e87c94b586238e100cd5226987ea426f99996514e13056a2ce029d6527f9e162992ddafa3f6332f8c178fc6e
-
Filesize
235B
MD59b5d44a6ceee15d8cc8d1945ca8ac665
SHA1405c788290d430b4bfa802c3d94d27fde87419a9
SHA2567c68f9f34014567c5e727601a2f62b41f9e5b9b5ed919ab9328f77561bf51efd
SHA512a97c09d90860cdb2d70eccb30d3c01f923dc07f95ac806b007d4be8205f4e95b9b8f0bd4384fae541212a1b1f342bac0e8a1462b49dad6423e568aa8fa36b424
-
Filesize
235B
MD5b7454b624236f630629bf7d9393c078d
SHA1e406aa583e55e2430705a53a8dd2ef32f2cca6bc
SHA256541a1fe81dd298e8706356cff7583553d44916709b2098cc5185b922008f9237
SHA5126cd2075691fbf1ddc243aee9f75910f7643e272e7ceb43232c310334b7723931aa43d5d168dd5b2b37ae7f9c824600a3334b4d5b3f65552a0ddd2d123eb66b5b
-
Filesize
235B
MD589c5f11e8e81ef9ab8890355a6ca5754
SHA192490ba4059d8be553a124362f83cf839a431bb9
SHA256e907953ad6b0755bc808c601ef0d2e0a25e86d93f0f03bfdebe9597ecdd6a5d3
SHA512823f3952f3116712720285fd3e847415288e064b037e388cb4928477f7b5b0a07936ea8a28e58d26e1bcf1029b7e269610421d003c15d881fec255df79b1a9d3
-
Filesize
235B
MD592eab5453a989d6b591ec30baf35108c
SHA1951279b50f32459231168d1b1710369f5e7d9685
SHA256150bce0fe2e9d650f00dedb11069bb7902cbeff4eaeb38bd592036e21fedebcc
SHA512528305d0c090f255359a2684a3699718ab2f96d63bdc0de96f55e62395963215d99621061a0008a2ed5289068698196ca861861febc994ac85a03ca1caf16f84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VLKUU8TDWMD3G5SG51D6.temp
Filesize7KB
MD50def4346d31002f66ac454a7c4fed276
SHA123e46097267232db8563b1cbc87fcc1347e266c2
SHA256385466dad603d9250f1c5227aea53c848e6b74cf03c37ac88cb27787656d8c0b
SHA512120de62214689dcb255e53a72038266059edf227bdd55d67c1574b56fd42e12583b2a71730f04409af17d7eea751fe7d5b309fa3660d5a0d5e1f4abd979da70e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394