Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:40
Behavioral task
behavioral1
Sample
JaffaCakes118_85632560897d9596e5f7eb16193e2d94d8208f2b26b1fd8f2ef1d95802674815.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_85632560897d9596e5f7eb16193e2d94d8208f2b26b1fd8f2ef1d95802674815.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_85632560897d9596e5f7eb16193e2d94d8208f2b26b1fd8f2ef1d95802674815.exe
-
Size
1.3MB
-
MD5
d5c604440c132b59058908a0b9e5d914
-
SHA1
116ee355f9e8895c59d2023fc2e597cd44e0dfd7
-
SHA256
85632560897d9596e5f7eb16193e2d94d8208f2b26b1fd8f2ef1d95802674815
-
SHA512
392a9fddf31c71f77d3392c1cad4d9eae63d1d8a87f7ed967d6ad86ac391adbcf6dd6dbd660a8dd014089a9c59a625626b7b48b8a72a296c2a02f95f88c983bd
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 3020 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 3020 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00060000000193df-9.dat dcrat behavioral1/memory/2876-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp dcrat behavioral1/memory/2924-34-0x0000000000E30000-0x0000000000F40000-memory.dmp dcrat behavioral1/memory/2816-124-0x00000000000C0000-0x00000000001D0000-memory.dmp dcrat behavioral1/memory/772-184-0x00000000008D0000-0x00000000009E0000-memory.dmp dcrat behavioral1/memory/1540-244-0x00000000002F0000-0x0000000000400000-memory.dmp dcrat behavioral1/memory/2396-304-0x0000000001360000-0x0000000001470000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1372 powershell.exe 480 powershell.exe 1212 powershell.exe 1992 powershell.exe 584 powershell.exe 264 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2876 DllCommonsvc.exe 2924 Idle.exe 2816 Idle.exe 772 Idle.exe 1540 Idle.exe 2396 Idle.exe 2540 Idle.exe 532 Idle.exe 1592 Idle.exe 2780 Idle.exe 2744 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 2744 cmd.exe 2744 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 12 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 15 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\Gadgets\WmiPrvSE.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\Gadgets\24dbde2999530e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_85632560897d9596e5f7eb16193e2d94d8208f2b26b1fd8f2ef1d95802674815.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2368 schtasks.exe 1356 schtasks.exe 2848 schtasks.exe 2560 schtasks.exe 2964 schtasks.exe 2288 schtasks.exe 1500 schtasks.exe 2316 schtasks.exe 1652 schtasks.exe 2428 schtasks.exe 2832 schtasks.exe 1700 schtasks.exe 1716 schtasks.exe 1520 schtasks.exe 2840 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2876 DllCommonsvc.exe 584 powershell.exe 1372 powershell.exe 1992 powershell.exe 264 powershell.exe 480 powershell.exe 1212 powershell.exe 2924 Idle.exe 2816 Idle.exe 772 Idle.exe 1540 Idle.exe 2396 Idle.exe 2540 Idle.exe 532 Idle.exe 1592 Idle.exe 2780 Idle.exe 2744 Idle.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2876 DllCommonsvc.exe Token: SeDebugPrivilege 584 powershell.exe Token: SeDebugPrivilege 1372 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 264 powershell.exe Token: SeDebugPrivilege 2924 Idle.exe Token: SeDebugPrivilege 480 powershell.exe Token: SeDebugPrivilege 1212 powershell.exe Token: SeDebugPrivilege 2816 Idle.exe Token: SeDebugPrivilege 772 Idle.exe Token: SeDebugPrivilege 1540 Idle.exe Token: SeDebugPrivilege 2396 Idle.exe Token: SeDebugPrivilege 2540 Idle.exe Token: SeDebugPrivilege 532 Idle.exe Token: SeDebugPrivilege 1592 Idle.exe Token: SeDebugPrivilege 2780 Idle.exe Token: SeDebugPrivilege 2744 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2800 2112 JaffaCakes118_85632560897d9596e5f7eb16193e2d94d8208f2b26b1fd8f2ef1d95802674815.exe 31 PID 2112 wrote to memory of 2800 2112 JaffaCakes118_85632560897d9596e5f7eb16193e2d94d8208f2b26b1fd8f2ef1d95802674815.exe 31 PID 2112 wrote to memory of 2800 2112 JaffaCakes118_85632560897d9596e5f7eb16193e2d94d8208f2b26b1fd8f2ef1d95802674815.exe 31 PID 2112 wrote to memory of 2800 2112 JaffaCakes118_85632560897d9596e5f7eb16193e2d94d8208f2b26b1fd8f2ef1d95802674815.exe 31 PID 2800 wrote to memory of 2744 2800 WScript.exe 32 PID 2800 wrote to memory of 2744 2800 WScript.exe 32 PID 2800 wrote to memory of 2744 2800 WScript.exe 32 PID 2800 wrote to memory of 2744 2800 WScript.exe 32 PID 2744 wrote to memory of 2876 2744 cmd.exe 34 PID 2744 wrote to memory of 2876 2744 cmd.exe 34 PID 2744 wrote to memory of 2876 2744 cmd.exe 34 PID 2744 wrote to memory of 2876 2744 cmd.exe 34 PID 2876 wrote to memory of 1212 2876 DllCommonsvc.exe 51 PID 2876 wrote to memory of 1212 2876 DllCommonsvc.exe 51 PID 2876 wrote to memory of 1212 2876 DllCommonsvc.exe 51 PID 2876 wrote to memory of 1992 2876 DllCommonsvc.exe 52 PID 2876 wrote to memory of 1992 2876 DllCommonsvc.exe 52 PID 2876 wrote to memory of 1992 2876 DllCommonsvc.exe 52 PID 2876 wrote to memory of 584 2876 DllCommonsvc.exe 54 PID 2876 wrote to memory of 584 2876 DllCommonsvc.exe 54 PID 2876 wrote to memory of 584 2876 DllCommonsvc.exe 54 PID 2876 wrote to memory of 264 2876 DllCommonsvc.exe 55 PID 2876 wrote to memory of 264 2876 DllCommonsvc.exe 55 PID 2876 wrote to memory of 264 2876 DllCommonsvc.exe 55 PID 2876 wrote to memory of 480 2876 DllCommonsvc.exe 56 PID 2876 wrote to memory of 480 2876 DllCommonsvc.exe 56 PID 2876 wrote to memory of 480 2876 DllCommonsvc.exe 56 PID 2876 wrote to memory of 1372 2876 DllCommonsvc.exe 57 PID 2876 wrote to memory of 1372 2876 DllCommonsvc.exe 57 PID 2876 wrote to memory of 1372 2876 DllCommonsvc.exe 57 PID 2876 wrote to memory of 2924 2876 DllCommonsvc.exe 63 PID 2876 wrote to memory of 2924 2876 DllCommonsvc.exe 63 PID 2876 wrote to memory of 2924 2876 DllCommonsvc.exe 63 PID 2924 wrote to memory of 2776 2924 Idle.exe 64 PID 2924 wrote to memory of 2776 2924 Idle.exe 64 PID 2924 wrote to memory of 2776 2924 Idle.exe 64 PID 2776 wrote to memory of 2112 2776 cmd.exe 66 PID 2776 wrote to memory of 2112 2776 cmd.exe 66 PID 2776 wrote to memory of 2112 2776 cmd.exe 66 PID 2776 wrote to memory of 2816 2776 cmd.exe 67 PID 2776 wrote to memory of 2816 2776 cmd.exe 67 PID 2776 wrote to memory of 2816 2776 cmd.exe 67 PID 2816 wrote to memory of 596 2816 Idle.exe 68 PID 2816 wrote to memory of 596 2816 Idle.exe 68 PID 2816 wrote to memory of 596 2816 Idle.exe 68 PID 596 wrote to memory of 2808 596 cmd.exe 70 PID 596 wrote to memory of 2808 596 cmd.exe 70 PID 596 wrote to memory of 2808 596 cmd.exe 70 PID 596 wrote to memory of 772 596 cmd.exe 71 PID 596 wrote to memory of 772 596 cmd.exe 71 PID 596 wrote to memory of 772 596 cmd.exe 71 PID 772 wrote to memory of 944 772 Idle.exe 72 PID 772 wrote to memory of 944 772 Idle.exe 72 PID 772 wrote to memory of 944 772 Idle.exe 72 PID 944 wrote to memory of 464 944 cmd.exe 74 PID 944 wrote to memory of 464 944 cmd.exe 74 PID 944 wrote to memory of 464 944 cmd.exe 74 PID 944 wrote to memory of 1540 944 cmd.exe 75 PID 944 wrote to memory of 1540 944 cmd.exe 75 PID 944 wrote to memory of 1540 944 cmd.exe 75 PID 1540 wrote to memory of 1560 1540 Idle.exe 76 PID 1540 wrote to memory of 1560 1540 Idle.exe 76 PID 1540 wrote to memory of 1560 1540 Idle.exe 76 PID 1560 wrote to memory of 3024 1560 cmd.exe 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85632560897d9596e5f7eb16193e2d94d8208f2b26b1fd8f2ef1d95802674815.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85632560897d9596e5f7eb16193e2d94d8208f2b26b1fd8f2ef1d95802674815.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2112
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2808
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:464
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:3024
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"14⤵PID:2288
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1328
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat"16⤵PID:1152
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2016
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat"18⤵PID:1708
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2812
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"20⤵PID:2784
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2732
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"22⤵PID:584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1028
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50dc258e2ce0013f7624e46e9274f9d2a
SHA12526de0cba6d6cb92ac4b66641a79fe57734aa09
SHA2564198c64d3fd99eceab5655d1871f5151b2178eff2fe04b720c626ef03b31c193
SHA512a622a3b4b493735c6e253c8626a20f7126280d7f0a787b7ef4e70274845bdbc4712bfbe032a92c3691d74c14dbf2903d9615835cad57f39c7cc5ccf32fffc17e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5369ccf5758551cb8ca100467cceff2d4
SHA1d3ac7063b8d06e5d64577d2556a174bdac5ce478
SHA2564cd90cf1b300a0ccaa1dd41a8d487a81b2d46388ba227bbed30232578cfa9b6b
SHA51209c74c042e635920ef907cac01510176b752c2692c06d09b17fd27eb5d7aa9c84bcffe7762b6b4ce8f580a87a9933033ba8fb9d85fa74a42a3eb10237f94de1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5052916f44d9d3dcfa601c8e84482838a
SHA18129934aff09fc055357130df97e6d1d2344c5d5
SHA256b49973e7464a5948c8b77da0b7cc6039a7302bea420c15d42a9d13e72c648c04
SHA512d8b56ba756264b971162954f91281620f14dc4b2c9ea1296387db98c8c2f713dc114adc41b257c89b40d4efb09c2fdb0fd585305711d10aa641fc183d58eacd3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5039dabb1cf4827000d95eb559052cff8
SHA1e66678824db6a8e1a5d09b3c8156005ccaa0bafb
SHA256f9c0af7502ace8af3a08aab71f8aa648d80fb4e972770d2289ef21c803b2f459
SHA512f72fcec3c1cb46b9e73997baea19f1358fea7906f5264536ceb3de725f14036260461b7a3b810a3f0278ee15fdc47e24bb6e00f2aad5a1d83809a0f71e980b0a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59f7eb716404b80d1ba4838c878962b66
SHA13bbac78b49d8f86a4262b68c29724439e89f9050
SHA25698bf9c81ea6fa518367cd7f41591596564e46e1b5a0407fb51fea88936b12d13
SHA512f4d9f304e001a8779439807d554ce67819ca6d224ebc0f628d5343633e76c9b456556634114f3544103223e516fa0b2887b76b6d95d90ac00c523289047d318f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fd292e7d5348c64a87edded5cc28067d
SHA1bec491ab90791ae8882bdd320eea8a6add65e7fe
SHA256bd8d0d6eee4ed1461a1b85b3198d5eb22384ac3e11c0815aaa64efa86d9fcec2
SHA51220c54498cd2b33348d84ce0ca5bfb1150f2233c84135a6fdd6c43c99037f88e6395c3a2dd0190ff3c44c23c94a2d44c7fcff2cbac717a6dbb04f0ef89e526d4d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a72f6e5d5ae60a697837393af8d89d3
SHA16086d176dfe6c735cc2eee65b89b491a2da2b4be
SHA256bd5085dda0e9f059b545223957fe2f2a66ce392f6a11102da8a6cd4530aef1b6
SHA512f37992f4b149ea52c14f365b420f0ca000b51c9ea4b86c1b703e900e72fd945b1dac47f6b5afb1f0ecef7e188880bf107c632aeea4ecbd91e662463c964e4013
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5daed6fb2bf0a8fdcc0e41070c5fd214a
SHA1f89c1c7ad3aef1c2c22b10898d380a0a9a49da66
SHA25680f2690ca90d4e0a80b3f291bb1d235ac7ee1a83f7fa679dbf0245e2ed667d3a
SHA512b5d930dd68555973db52ba759a507a519956a6f5289091702016855ec38e1cc12a2d0978d337ed5b16f89ae43a16f4d84c26c0c9b72eb7bcaf5bbdd98ef4aafb
-
Filesize
191B
MD50b9ddf052d02330a9e684ec71e01d394
SHA1a41d6ff2556661652dd23fc30914fa2db9b989f9
SHA256eda7415b84aa1522c675ccc8782933e63b04fe2143e3ed3e0d234ded2dc2e3bd
SHA51293e410cc4fe35414221a7596272b5db1fc272ce4dfafe46694a3013a45cd7f63bbe20f6d97cf7a1d5c9e121f3adea2112cfe5bf491b6a84c40e45cd05fe44ef0
-
Filesize
191B
MD52ea4bdb1b0098c5dd5c751e73efdabfb
SHA16f7ee23028e47975ff7b2b0c8b983efee70e2c66
SHA256b2247e29874e860ea802db8d8327b31181742f5bfb1d4ab361b8b20c4fe93bae
SHA5125ba8318cfadb66ad1a46dfcc4e01153cda91f11562acc484690afef4fe802089b91fdef2c1abd82589e8d403865b9b4ae8acb2ef5e1cd823aad759077d56df33
-
Filesize
191B
MD5943894b6e6a82863647452a8f59dc0a8
SHA121fd2d06230837404545795b57811dcd2dcdb232
SHA2561394dc56af5dfab28286a64390e7a066283e582a776d9a3a3b27b7720411b4ab
SHA512d0d386499917680999f74fb92ed99c8d4c4636f23df76516c984571185cf5de81da401cc73e6b61896aeae51d0e1ef7f0a10b84b8d76d9fd63a37d5a707fe400
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
191B
MD50f79459a447b6005eb69ea9a1efbcf7c
SHA14ffd30aa3e869e88589e4f87ecc4bec75dbc0973
SHA256166ad5ed9dd82a083e52ed20ce09faa398155964f696ecdec35ab705cc0034ba
SHA512505db7fdba6e58c6b6a6380eb4652d1fb5d88ffc4bb65bd1b12ec2fb0b1aadbdd0380074e6caedeb5a87b49dc6d94734596f0a2f2add3c27226d176a9b39b6ce
-
Filesize
191B
MD5cf568a209a55d5cd2926d7b05f34cafe
SHA167bbc1ca2e5572676ea2eb0759eecd401aa2505a
SHA2560202203a6d5750ca1bdb5d9502d22f6acb7613b8c2bd49e1f317634674db82b4
SHA5120008a6d985b578e8868658330ddf0273ae7a96a97fa52f0c2a89333aa046e932fad0de0de384becd2f94069cfa8a2870572160257816a294ab64309115e869b9
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
191B
MD5b09eadf7aafee1f3256eedc891949446
SHA198e5b1aeda6128689ea0c5bcb54dd3fd8f607a78
SHA25658ede198d2c91444af16fe8dfe23a2c4e57fc6eaeb7593e589a59c7da1f3950c
SHA51211e8492ef4562da40ea6eb50ff5f0dc8915de6941dbffc082d7151de33b42390dde3e7aa5af355097b2e49ae6e3d29eff91ccc3ab54e9282ebfdd563db4f7005
-
Filesize
191B
MD58fe105a48b26aa2ab624d4d8cf50a09b
SHA11d9b2b0b9828d5d9b7c91fba626d38116094d62b
SHA25646e2c5a44a6f24c9e4ea20c3fc0c84802097b6aef4af5e85158a10fcc0fe4543
SHA5126995708a87ba6ee5c929eea83193fb778ed2a44b451d60c421345abe631c2c9ce2abec7d1160f3433fb88c4b1334925bb73462248628088d4284e03a34ac3ff5
-
Filesize
191B
MD5ff42d28b22299fa014e1cf55945a2db6
SHA1277c3291f41d0a35b34b90c3659de3fde4c9f567
SHA256f8a4d9b0568c00d7d2eaed57683b416768952473cac0c3e59910d2e927491b66
SHA5126e4f2f0f27d4d5163689e9f7b789acc8526ffcca34cb9c69eab36e61cfb13b85c95412c3794f613f675a110725b18548508fe899b826e373c0ec726e450677b6
-
Filesize
191B
MD56d34c545e590a2ca1b33aa9b857ad88a
SHA1c79cc68c332591e888941623b1e1281e4cacf7fe
SHA256d9a2182a1f485ee30e0d6d8f3a2629e629f8e22d908822627d6a049051075d70
SHA512b6fc779469545cf88793deaf8e01261054d5f40f4791f0c59f9a1e3bdd3078e249d2538eb899ec21b5e658e0d8ba3fd49a47c887139ca35bdffb047be1ca1484
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56808d3888c74cae183c774627b315105
SHA1fecb4f264d2d8c1906f52e896fc7c1fc3307d16b
SHA2562d0419393ca37f833443614cdf01b6562996712210710c3deea2e72e65d64055
SHA5129e5ae7d546518df94bdfc0d26cb2680bfa502ca6e830d36f83e1d300fae9a5cb831dd3524a4011f80976b327aec66f06e31bda58603b3981de62467f0975ce8a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394