Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 06:06
Behavioral task
behavioral1
Sample
JaffaCakes118_928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5.exe
-
Size
1.3MB
-
MD5
bb9fde841f13265ed7cb346dea6599ed
-
SHA1
8722e36a8ad766f9bd996abade0af69f6668817f
-
SHA256
928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5
-
SHA512
fad665902515da0fa1291f432d569630bffd830b1b345717c6fb17de4ed27b9175ce57875dd7889457ec7c68bf39231510b6440504a60bd9c5a02f3fcb67300f
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2628 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016fc9-12.dat dcrat behavioral1/memory/2952-13-0x00000000002F0000-0x0000000000400000-memory.dmp dcrat behavioral1/memory/3004-30-0x0000000001220000-0x0000000001330000-memory.dmp dcrat behavioral1/memory/1784-169-0x0000000000050000-0x0000000000160000-memory.dmp dcrat behavioral1/memory/304-229-0x0000000000820000-0x0000000000930000-memory.dmp dcrat behavioral1/memory/1436-289-0x0000000001190000-0x00000000012A0000-memory.dmp dcrat behavioral1/memory/3052-467-0x0000000000290000-0x00000000003A0000-memory.dmp dcrat behavioral1/memory/1088-527-0x0000000000B30000-0x0000000000C40000-memory.dmp dcrat behavioral1/memory/2836-587-0x0000000001310000-0x0000000001420000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2336 powershell.exe 1312 powershell.exe 3012 powershell.exe 1348 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2952 DllCommonsvc.exe 3004 lsm.exe 944 lsm.exe 1784 lsm.exe 304 lsm.exe 1436 lsm.exe 2644 lsm.exe 1892 lsm.exe 3052 lsm.exe 1088 lsm.exe 2836 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2960 cmd.exe 2960 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 18 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 9 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\jre\System.exe DllCommonsvc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\System.exe DllCommonsvc.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\27d1bcfc3c54e0 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2760 schtasks.exe 2356 schtasks.exe 2724 schtasks.exe 2404 schtasks.exe 1640 schtasks.exe 640 schtasks.exe 2556 schtasks.exe 1600 schtasks.exe 2428 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2952 DllCommonsvc.exe 2952 DllCommonsvc.exe 2952 DllCommonsvc.exe 2952 DllCommonsvc.exe 2952 DllCommonsvc.exe 3012 powershell.exe 1348 powershell.exe 1312 powershell.exe 2336 powershell.exe 3004 lsm.exe 944 lsm.exe 1784 lsm.exe 304 lsm.exe 1436 lsm.exe 2644 lsm.exe 1892 lsm.exe 3052 lsm.exe 1088 lsm.exe 2836 lsm.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2952 DllCommonsvc.exe Token: SeDebugPrivilege 3004 lsm.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 944 lsm.exe Token: SeDebugPrivilege 1784 lsm.exe Token: SeDebugPrivilege 304 lsm.exe Token: SeDebugPrivilege 1436 lsm.exe Token: SeDebugPrivilege 2644 lsm.exe Token: SeDebugPrivilege 1892 lsm.exe Token: SeDebugPrivilege 3052 lsm.exe Token: SeDebugPrivilege 1088 lsm.exe Token: SeDebugPrivilege 2836 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2260 1820 JaffaCakes118_928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5.exe 30 PID 1820 wrote to memory of 2260 1820 JaffaCakes118_928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5.exe 30 PID 1820 wrote to memory of 2260 1820 JaffaCakes118_928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5.exe 30 PID 1820 wrote to memory of 2260 1820 JaffaCakes118_928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5.exe 30 PID 2260 wrote to memory of 2960 2260 WScript.exe 31 PID 2260 wrote to memory of 2960 2260 WScript.exe 31 PID 2260 wrote to memory of 2960 2260 WScript.exe 31 PID 2260 wrote to memory of 2960 2260 WScript.exe 31 PID 2960 wrote to memory of 2952 2960 cmd.exe 33 PID 2960 wrote to memory of 2952 2960 cmd.exe 33 PID 2960 wrote to memory of 2952 2960 cmd.exe 33 PID 2960 wrote to memory of 2952 2960 cmd.exe 33 PID 2952 wrote to memory of 2336 2952 DllCommonsvc.exe 44 PID 2952 wrote to memory of 2336 2952 DllCommonsvc.exe 44 PID 2952 wrote to memory of 2336 2952 DllCommonsvc.exe 44 PID 2952 wrote to memory of 1312 2952 DllCommonsvc.exe 45 PID 2952 wrote to memory of 1312 2952 DllCommonsvc.exe 45 PID 2952 wrote to memory of 1312 2952 DllCommonsvc.exe 45 PID 2952 wrote to memory of 1348 2952 DllCommonsvc.exe 46 PID 2952 wrote to memory of 1348 2952 DllCommonsvc.exe 46 PID 2952 wrote to memory of 1348 2952 DllCommonsvc.exe 46 PID 2952 wrote to memory of 3012 2952 DllCommonsvc.exe 47 PID 2952 wrote to memory of 3012 2952 DllCommonsvc.exe 47 PID 2952 wrote to memory of 3012 2952 DllCommonsvc.exe 47 PID 2952 wrote to memory of 3004 2952 DllCommonsvc.exe 52 PID 2952 wrote to memory of 3004 2952 DllCommonsvc.exe 52 PID 2952 wrote to memory of 3004 2952 DllCommonsvc.exe 52 PID 3004 wrote to memory of 2188 3004 lsm.exe 53 PID 3004 wrote to memory of 2188 3004 lsm.exe 53 PID 3004 wrote to memory of 2188 3004 lsm.exe 53 PID 2188 wrote to memory of 952 2188 cmd.exe 55 PID 2188 wrote to memory of 952 2188 cmd.exe 55 PID 2188 wrote to memory of 952 2188 cmd.exe 55 PID 2188 wrote to memory of 944 2188 cmd.exe 56 PID 2188 wrote to memory of 944 2188 cmd.exe 56 PID 2188 wrote to memory of 944 2188 cmd.exe 56 PID 944 wrote to memory of 3068 944 lsm.exe 57 PID 944 wrote to memory of 3068 944 lsm.exe 57 PID 944 wrote to memory of 3068 944 lsm.exe 57 PID 3068 wrote to memory of 2588 3068 cmd.exe 59 PID 3068 wrote to memory of 2588 3068 cmd.exe 59 PID 3068 wrote to memory of 2588 3068 cmd.exe 59 PID 3068 wrote to memory of 1784 3068 cmd.exe 60 PID 3068 wrote to memory of 1784 3068 cmd.exe 60 PID 3068 wrote to memory of 1784 3068 cmd.exe 60 PID 1784 wrote to memory of 1900 1784 lsm.exe 61 PID 1784 wrote to memory of 1900 1784 lsm.exe 61 PID 1784 wrote to memory of 1900 1784 lsm.exe 61 PID 1900 wrote to memory of 1888 1900 cmd.exe 63 PID 1900 wrote to memory of 1888 1900 cmd.exe 63 PID 1900 wrote to memory of 1888 1900 cmd.exe 63 PID 1900 wrote to memory of 304 1900 cmd.exe 64 PID 1900 wrote to memory of 304 1900 cmd.exe 64 PID 1900 wrote to memory of 304 1900 cmd.exe 64 PID 304 wrote to memory of 1520 304 lsm.exe 65 PID 304 wrote to memory of 1520 304 lsm.exe 65 PID 304 wrote to memory of 1520 304 lsm.exe 65 PID 1520 wrote to memory of 1780 1520 cmd.exe 67 PID 1520 wrote to memory of 1780 1520 cmd.exe 67 PID 1520 wrote to memory of 1780 1520 cmd.exe 67 PID 1520 wrote to memory of 1436 1520 cmd.exe 68 PID 1520 wrote to memory of 1436 1520 cmd.exe 68 PID 1520 wrote to memory of 1436 1520 cmd.exe 68 PID 1436 wrote to memory of 2996 1436 lsm.exe 69 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:952
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2588
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1888
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1780
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"14⤵PID:2996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2844
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat"16⤵PID:288
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:640
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"18⤵PID:1452
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1084
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"20⤵PID:3000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2212
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"22⤵PID:2960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1576
-
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d3befe233134802ae2bd67f2a39414a
SHA16bbe5e73015e49e0b33f4323ef18a1cd828b25d8
SHA25647b831abed1b934eaf79297475d92651d6c7f02bb52c5ac196183ed2ca54e5ec
SHA512ea22212a2669cf46fd042726ae5e28fd3ccda6222ce419f45b5d3650fac9bf67a840557cfdcc5912176129487228450bf338556ab656866d6560dadabe383bd9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57dc2451d31cfd9f51a2d91b09fba9a65
SHA1c3982ff5c60aa27350db7b6058f962c2a3a8407c
SHA256a4fc94cc21f0e43d34b412f78b485c37150fbc2e821efd9f9664550cdca7697c
SHA51210592a0dac2ca2157dce4dd08e5e29eff7ac9c6088f46338c8d0a43abf7d0bae67b2fef1d2d9a6ca8dfefca80a0b39051fb920e2683255b2fd4696c73f5a5b3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f2da66b0b819b70ccb78089e3696460a
SHA1a099b4327266eabc8233e8686becd75e6be83d43
SHA2560774ea24b93edae325b136fd6cf11adb301e90de8c66172e66ed4030e5524eb3
SHA512e9a5c8a7725c695f82c42e584503d3725752a27c578802d41a724b20f1a11e60ba821c65840cb1bb49aea103f0d64f982059e09bbaebca012a6a8fd93472993c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ad20b208fa457485115329ae0b9d3829
SHA1d451b52a6ed5102e7a7b195693c39ca074f86f40
SHA256fd055fea6d195d8ac2ecaabfccb2e40b6b3501dfa76db5747f2f1e6a10ac0905
SHA5129c026b9684a704c62db9678c257c3fb2ad454cfee292fde8d1da6836022b8a95f883e99aad10415118cfdb308c74a289a5e9478b0940f8e3500453022c0f7e28
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51ad3b312b5925566197ebf4173c0f205
SHA1348eefed079fe210ce70d2b8273e986c422bb153
SHA256ab55bf89548db6c767ae9fae1318f25e23146560689c7a5961dda3d77dc44978
SHA512a3a5fd94a4872ef5f88add9d0c6267f2dcbdc813b63c9ce9ea4b9098e916f0885edf1a420a6835382e841b048bbb92fdbd208642282fe2e9734997bfa2625b1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53a8c73717ade4bbf02653f0ce21ca3f8
SHA1b9a548c72938347aea9d4ece9d2c010227345e5d
SHA256c2f019568c2127d90456d1f9e19d2bd0678b17ee5cec05204fe670279b3f1ba3
SHA512c599ff98e64e315d7110b66e891d59984c6c2119bf8d28043b7dc88f844f9a340b111b6b98386e9f5b4e373513d9912c24a77d816a19a4b09ef2c56b8fde1efd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD535142b3c9f8c930324c2b1e1e1670d79
SHA1846ed1a8e3a3b2814b046b747ca4b48eaa1510f7
SHA2563feded88be4c8826301631d9de21d8d95236d37beba20c4b3985c0cc4cea54f2
SHA512723c032698613e51da70857972f3e7f537e4a691bf294493cf72dce82719552111aec5477a40cbba3b650180e63ee4f9b9b91989759f1fad108502ec707dff6e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD503974bd8aba997494c00d5552a19bcdc
SHA1172d1a0ec914e623fa6d8b0c46b6c061603c300c
SHA256504765cef20d65af99fd3432a04a4b456611fe25f7417d2e091c25cb33780321
SHA512211e583d76336b4bbce2c12192bfc8908efd528e816ad1f0a446f3ab67fef9c2d8e8a7da678c0a84bef0fb9d2c6011b8ea9b6bafbf8cb08897daf83aa1b4765f
-
Filesize
235B
MD5bfa90b819aa2dfdc70d7033e29ccfac0
SHA199fe5843e96019821036ff21accba0702f1f30bd
SHA2560540fc4e1143de869e9060fa959f3dce86288e8cd74715d378d6630bff946c26
SHA51261bc875bbc38b709bc517080d698e8841a44f7847447ecc8a275af5f51d80c6f68212332b00f94e4e940f96fd636135915248e3618df149121f3fb77385a7eb8
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
235B
MD59ebb9bc2c955041f3e15fa322097353a
SHA18808afdb79c8891c6bdfb1b5871820db97597c64
SHA256e9cea65b33f4798ff3fec6a1fb6ed637ad7ed0acb1690657298d16222aaee4eb
SHA512821ecb8e869b55188c8064c5ee97330e271a8458515570c34836e0ba539451de44408d3ea54ad55bde17457268604375fcf8c8960bea3e1dc12a1c1902a5be80
-
Filesize
235B
MD5f62a639ba27260faf784b704333ca5c4
SHA1ff18f92e4e1679084dbb54155e70edddac23a4b1
SHA256faf206abeaceb8fd14b61457b7e126388a1c5e82487603e1551318f1bad50aa7
SHA5125068e16c270203eb6410161b93bd5aa99630b40972e2c2925a7828bf77afec8cf6f428a19aa28b78b50fcc8b325b05a60a0e553b751ce9f55262d30207ebc71f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
235B
MD5d649c04c0a1d5b9c6fa002add28c5e95
SHA1bf24ad6ed19e08fe4d1176ab04076439343b3ea5
SHA25642949009cb1413ab4ae1e9ce288007bf4b0da6e361f54567747a8a7a69ea7c21
SHA512660ea05854c0f408577230d26c8962d70763e0987548973843284833b952e912150f936535b01950a4a6006420e9948f53c8b699b93f16dfcee987e3330e7d8e
-
Filesize
235B
MD5dea3e9de81be81299cc58bb604cc2acc
SHA1a9780ebc8bf8a6c5edeb283ac921ea8fbb408d5f
SHA256a988d1259cd0de3f4de27863589f2af9c93b5834fb22afcea5450ae150851ebd
SHA5124e73116fce4607e8fc731c40b8932cc37b8bb8b6700455925dbdc5977accbee8dff5864f5966d25abc910f09a88771eaaf72f9bb3c39b58bf19d7c7067d6026f
-
Filesize
235B
MD5fb1f1a5df072fb2ef13187ab13f4f52a
SHA17c84d68135095a381b1b690b949cad9cbac76fec
SHA256af2f849c9edf7bbac2cefd9ebb70f9f60edf265841481e2f5c8b13ad1d0a05fd
SHA5129c7097523bbff0101959141c60326ec7cd9bd64cee95999589432e3321cb73d1158fd55bdbdbb5c5e39924987c1a1d58a4774dafdb63aad6b48aa4d1afa4e857
-
Filesize
235B
MD5d0b96f276104f4624dcfa7de3eb2ccc9
SHA1e4c4a1416cedcb194e2cd4b6d67382f7cddbdecd
SHA256be2cc9b9ecd6dd934877c7e20f41ea98ed0b77bf68f35e1c4f58ed6648ab1b32
SHA512d5aff3c1abeefc2a8f196bfcb5ce1e7d440a7f6a0bf9fb8fc6903a54403647af0ba5c62312ba59fd59663f5cd0516404b553ced680df79d44405324365be7fab
-
Filesize
235B
MD55ff389740d8f78161474009467eac9f0
SHA16a0905d809dd640c8d19ef490dded44d52d5ad0c
SHA2566d1b24daff546fbe6301e0827a84dac23c6a9aea1096ed26b34f57c8714acb12
SHA512918fda51212fe0064aa83bf2c9fd8d270b222552ba7c6e3fb4ca7a032ea73788ca663827ead57e3a5fa96f8d2253ed05ea7c40937e9f0f47bfeea62fe713e28a
-
Filesize
235B
MD54319810fe7fa6372e392893ee20118a6
SHA1386db7d12c10c2f0c30f9718674ad3479b6a6c87
SHA256f865482d96ccb4ae7c97a8ab1ab202328e9fdb38f56dab231fd6b289a0f5b6ad
SHA51221b4a600f9e33d70bece80b11febaa4bb89accdabbcc0bf0f9c3990dea664a4c57fdcbbbaf26212ee141ea9fb8817635b4c76f23468e9047b9be6a5fea500cc7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58f1cdbf904f27beb2b9f16cddf0615bb
SHA1c7eb70e2886b6b89c71158f00ecfe75783f56e3d
SHA256643f095737c0a314ae55a35b46c84282fc6e3707c2136b8cf5699c73d968ae3f
SHA51245b563e24c61830cd87025677aa4b80a98283dcc5a8f671b7f6b0d10e58c78309899590950cf14fa22c40bc1c436bb1570e2b6a927c53ae84eed13d946a8555c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478