Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:29
Behavioral task
behavioral1
Sample
JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe
-
Size
1.3MB
-
MD5
45abae4551848db4192410cf2de05722
-
SHA1
9c1920b0be236b01a24120083bbc010ac2474c9b
-
SHA256
c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb
-
SHA512
84fb19bdb72fb4dbce82f369d135efb27952917e204ffaa7b9f4fc085a222b821ac0b8d0ebf6583e5d0bac998b2f95531a6a34d6849b353d9ad65bfc63f8d3ac
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2596 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2596 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2596 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2596 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2596 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2596 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2596 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2596 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2596 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00080000000173b2-9.dat dcrat behavioral1/memory/2956-13-0x0000000000190000-0x00000000002A0000-memory.dmp dcrat behavioral1/memory/1564-52-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/1472-80-0x0000000000A60000-0x0000000000B70000-memory.dmp dcrat behavioral1/memory/2628-139-0x0000000000F70000-0x0000000001080000-memory.dmp dcrat behavioral1/memory/1680-260-0x0000000001380000-0x0000000001490000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2932 powershell.exe 2908 powershell.exe 2888 powershell.exe 1672 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2956 DllCommonsvc.exe 1564 winlogon.exe 1472 winlogon.exe 2628 winlogon.exe 2804 winlogon.exe 1680 winlogon.exe 1580 winlogon.exe 1276 winlogon.exe 2992 winlogon.exe 2900 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 2668 cmd.exe 2668 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 29 raw.githubusercontent.com 32 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com 25 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 22 raw.githubusercontent.com -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Panther\UnattendGC\winlogon.exe DllCommonsvc.exe File created C:\Windows\Panther\UnattendGC\cc11b995f2a76d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2832 schtasks.exe 2728 schtasks.exe 3040 schtasks.exe 2324 schtasks.exe 1120 schtasks.exe 2724 schtasks.exe 2732 schtasks.exe 2592 schtasks.exe 2772 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2956 DllCommonsvc.exe 2888 powershell.exe 2908 powershell.exe 2932 powershell.exe 1672 powershell.exe 1564 winlogon.exe 1472 winlogon.exe 2628 winlogon.exe 2804 winlogon.exe 1680 winlogon.exe 1580 winlogon.exe 1276 winlogon.exe 2992 winlogon.exe 2900 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2956 DllCommonsvc.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 1564 winlogon.exe Token: SeDebugPrivilege 1472 winlogon.exe Token: SeDebugPrivilege 2628 winlogon.exe Token: SeDebugPrivilege 2804 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1580 winlogon.exe Token: SeDebugPrivilege 1276 winlogon.exe Token: SeDebugPrivilege 2992 winlogon.exe Token: SeDebugPrivilege 2900 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2536 2080 JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe 31 PID 2080 wrote to memory of 2536 2080 JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe 31 PID 2080 wrote to memory of 2536 2080 JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe 31 PID 2080 wrote to memory of 2536 2080 JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe 31 PID 2536 wrote to memory of 2668 2536 WScript.exe 32 PID 2536 wrote to memory of 2668 2536 WScript.exe 32 PID 2536 wrote to memory of 2668 2536 WScript.exe 32 PID 2536 wrote to memory of 2668 2536 WScript.exe 32 PID 2668 wrote to memory of 2956 2668 cmd.exe 34 PID 2668 wrote to memory of 2956 2668 cmd.exe 34 PID 2668 wrote to memory of 2956 2668 cmd.exe 34 PID 2668 wrote to memory of 2956 2668 cmd.exe 34 PID 2956 wrote to memory of 2908 2956 DllCommonsvc.exe 45 PID 2956 wrote to memory of 2908 2956 DllCommonsvc.exe 45 PID 2956 wrote to memory of 2908 2956 DllCommonsvc.exe 45 PID 2956 wrote to memory of 2888 2956 DllCommonsvc.exe 46 PID 2956 wrote to memory of 2888 2956 DllCommonsvc.exe 46 PID 2956 wrote to memory of 2888 2956 DllCommonsvc.exe 46 PID 2956 wrote to memory of 2932 2956 DllCommonsvc.exe 47 PID 2956 wrote to memory of 2932 2956 DllCommonsvc.exe 47 PID 2956 wrote to memory of 2932 2956 DllCommonsvc.exe 47 PID 2956 wrote to memory of 1672 2956 DllCommonsvc.exe 48 PID 2956 wrote to memory of 1672 2956 DllCommonsvc.exe 48 PID 2956 wrote to memory of 1672 2956 DllCommonsvc.exe 48 PID 2956 wrote to memory of 2912 2956 DllCommonsvc.exe 53 PID 2956 wrote to memory of 2912 2956 DllCommonsvc.exe 53 PID 2956 wrote to memory of 2912 2956 DllCommonsvc.exe 53 PID 2912 wrote to memory of 1948 2912 cmd.exe 55 PID 2912 wrote to memory of 1948 2912 cmd.exe 55 PID 2912 wrote to memory of 1948 2912 cmd.exe 55 PID 2912 wrote to memory of 1564 2912 cmd.exe 56 PID 2912 wrote to memory of 1564 2912 cmd.exe 56 PID 2912 wrote to memory of 1564 2912 cmd.exe 56 PID 1564 wrote to memory of 604 1564 winlogon.exe 57 PID 1564 wrote to memory of 604 1564 winlogon.exe 57 PID 1564 wrote to memory of 604 1564 winlogon.exe 57 PID 604 wrote to memory of 3016 604 cmd.exe 59 PID 604 wrote to memory of 3016 604 cmd.exe 59 PID 604 wrote to memory of 3016 604 cmd.exe 59 PID 604 wrote to memory of 1472 604 cmd.exe 60 PID 604 wrote to memory of 1472 604 cmd.exe 60 PID 604 wrote to memory of 1472 604 cmd.exe 60 PID 1472 wrote to memory of 1716 1472 winlogon.exe 61 PID 1472 wrote to memory of 1716 1472 winlogon.exe 61 PID 1472 wrote to memory of 1716 1472 winlogon.exe 61 PID 1716 wrote to memory of 3036 1716 cmd.exe 63 PID 1716 wrote to memory of 3036 1716 cmd.exe 63 PID 1716 wrote to memory of 3036 1716 cmd.exe 63 PID 1716 wrote to memory of 2628 1716 cmd.exe 64 PID 1716 wrote to memory of 2628 1716 cmd.exe 64 PID 1716 wrote to memory of 2628 1716 cmd.exe 64 PID 2628 wrote to memory of 1984 2628 winlogon.exe 65 PID 2628 wrote to memory of 1984 2628 winlogon.exe 65 PID 2628 wrote to memory of 1984 2628 winlogon.exe 65 PID 1984 wrote to memory of 2384 1984 cmd.exe 67 PID 1984 wrote to memory of 2384 1984 cmd.exe 67 PID 1984 wrote to memory of 2384 1984 cmd.exe 67 PID 1984 wrote to memory of 2804 1984 cmd.exe 68 PID 1984 wrote to memory of 2804 1984 cmd.exe 68 PID 1984 wrote to memory of 2804 1984 cmd.exe 68 PID 2804 wrote to memory of 1544 2804 winlogon.exe 69 PID 2804 wrote to memory of 1544 2804 winlogon.exe 69 PID 2804 wrote to memory of 1544 2804 winlogon.exe 69 PID 1544 wrote to memory of 1444 1544 cmd.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MAmhIIylHr.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1948
-
-
C:\Windows\Panther\UnattendGC\winlogon.exe"C:\Windows\Panther\UnattendGC\winlogon.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3016
-
-
C:\Windows\Panther\UnattendGC\winlogon.exe"C:\Windows\Panther\UnattendGC\winlogon.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:3036
-
-
C:\Windows\Panther\UnattendGC\winlogon.exe"C:\Windows\Panther\UnattendGC\winlogon.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2384
-
-
C:\Windows\Panther\UnattendGC\winlogon.exe"C:\Windows\Panther\UnattendGC\winlogon.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1444
-
-
C:\Windows\Panther\UnattendGC\winlogon.exe"C:\Windows\Panther\UnattendGC\winlogon.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"15⤵PID:2636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:892
-
-
C:\Windows\Panther\UnattendGC\winlogon.exe"C:\Windows\Panther\UnattendGC\winlogon.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"17⤵PID:2756
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:840
-
-
C:\Windows\Panther\UnattendGC\winlogon.exe"C:\Windows\Panther\UnattendGC\winlogon.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"19⤵PID:2156
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1484
-
-
C:\Windows\Panther\UnattendGC\winlogon.exe"C:\Windows\Panther\UnattendGC\winlogon.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"21⤵PID:2468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1868
-
-
C:\Windows\Panther\UnattendGC\winlogon.exe"C:\Windows\Panther\UnattendGC\winlogon.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat"23⤵PID:2860
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2272
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Videos\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\UnattendGC\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\UnattendGC\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD529d39ce3d85b450c16d13caf74ad139e
SHA101d076e6cd993d531709585a932ddac9e37d6206
SHA25630119d47fab01e73a3f048dd445018a4d7ae3068e8f2e5ee7967d070bd246173
SHA5123a2f05108b4a35946fd48849d31c102b26869091a75e4d18765e37d1ff8efe10b7095730d27d68f3f7b7ab6ee4ecc358f236bc460db7cf7095b1de9448a2f107
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ec823c47fe39d7a8c4be244fb42af8e9
SHA140275602659b05a234009f0e8dbfdf915993a8e5
SHA2561c9a3bd3fa6434e088024f31af95183e1ad67f2cbd57447764f3c1dd7019ac77
SHA5128d907f53c142ec3530c58a2faf6debd531395a8d8a7159bdd5b79c008fb1121f6c75a3e8916531a93a7662ba5c0df1b0aca944c940638f62e0bc9d857fbacf53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50390fbd5f247edc965b99d043ea69218
SHA11d910f8635cf80ec19198f53b4484c0b67114b69
SHA2566ebcd4220fce552627a8464857f19d8ff128b12997b0a0209e120e95b777004a
SHA51246d20fba54197eb078aad000891699fecf6ca377c512b6c937c08e82842da514e355e953eef501358f9a55bc0259777f57d69895d7f3078a67c5c82eb491a31b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD534c74f80af17c3cb2809d818e051e6ac
SHA1da7c36e555c0349671519d1e39d0f4e0567659bd
SHA25618137fb3d4579b5f2bec606ceead8dcdf9d3f4e5f1b91ede164fd3f040d24d20
SHA51213ac991e3c52b39be522583f1800ea7785795cc059ca400fe4294c8638c8d10512cf4f45e6f51e45280521c7d3e0e1ecb5a244790909e6c808a3406687858f51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD570bcae008d8a5294e747eb087d327eaf
SHA19d784aeca7ae8d75c5f19e9e0ecb26cb6adb6fd5
SHA25658dcabf1306f9263b787870449bf0729c1956b36b0878fe6ccdc63b379fc4917
SHA512548483956297930162d58e4b589c1e9a28a23b6a209691ddb60aa8b7af44f6153b5694efc9fe1f4555a77d263d5a2356944c75f89830d842a4ffda630acd1f62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD550db1bc2826740ba33e61de880f73fcf
SHA11e1642eff10bbf52321290b5539755808ec58379
SHA256c131b6472d9b7cdce9da9e06643fc0a32e8dbf18fde31bfd0db0b713082936ce
SHA512c7e05d492d216ea790a7d6e2c85a263552bd43b8c98dad1035a51fee2121750429ba64aeea5153c01e90479321453eacbe4be6f51d6f4412860910956478efc9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e47d5fb8f07c0a57dbe888f76bc49e21
SHA1800c332477f05c1d26ebba6d00f2552d121d3791
SHA256dbbf8a10c87affb771a2603c46a285e02ff04268f288fe6be0438433b83d497e
SHA5120f9a29599d12318702e7d10622f392a8825dcbb31c237abf286cd9038903d6f894cc0ac1a09c4753127c5b7b2a2540a3f2c790024cb0fbcccdbcaa439c726887
-
Filesize
207B
MD520de5ec2386f15f50ddd5ac764948e2c
SHA18bf350f4af5780d1cc7bb259e861d58e19582770
SHA256cb67354fdcb3a2fcf4b78a916fb088510e4966247d2a21de8d2802301fcace98
SHA512f5aa6e2ef871463dc606023de38fdea8677900b2687fa0b00d701dc872bf7126447c4d3d0bacfa8906da5049e1b063b81b6f4b75508613dd898a733398bb38bb
-
Filesize
207B
MD5bbfaac79f714c1e88f42fc386d7cdde0
SHA1d5df596719d5e19b578cc10f8b0c15f78ab50b16
SHA2568033574e6f67910db0df7fbae177142dc658ce0e578f8a490e0fb8230a98ef27
SHA51213af8cd775af7013c1f7618d203dabe51f0b8cf64d050d18995e59c3b14c3bfacaa85d1792b7d766e0b5673280518b2c718c6bbbf2b861ef9699b1dd2cd0f36e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
207B
MD59ad26b56e0d5f0b9d1e59fdfe6fcc1f3
SHA11d6ca0ab410d20dc65384feec62480abbbbdec46
SHA2561a01a2437ce661956783ca4679495cd0a2ac621db4e63df2b33c8b4cf5fbbb51
SHA5126d6edcbbb24a3cde09ce10845626997ef009a85ea74a8f56fa0c2a0fe10a5607a4e7bab9a8b1c2566c5e52f862887b9c560c76eab64d1c5cef0e465d61a1904a
-
Filesize
207B
MD524c974ec785ffac29c65712a95171054
SHA14fd858229ce058c4d4eb0393ed3c007b1ff1b63a
SHA25615c7ab5eafc268a664889fc698f14a5ae2c74d1f5f0c356b90d56627b0e22be8
SHA5126edd6e316fda4b2230b44be67c7b76b78418468cd82b690c07a7fe238a4128ddf4e1a54c25dea12f15d304dab64f1e1cfd87298ad22bf392a058837143241630
-
Filesize
207B
MD550bfab2cc05de4ac92fe30e42c581352
SHA10aa88263c565c3eb3a8646a2bd15336b9d579306
SHA256d7d0800223a9d3fe66586f47f4793f5c1616523d7e6bb65286fde9eca0c51014
SHA512d21907cf891183ec16e41cf0626dfeed19f2fe96b261fec99ceb3a1754b38d515c3ac4ee771ec3a69b1bc5e1848093b8b52bcd7ffbe601410da49ee434dcb2df
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
207B
MD5b12cdbddcffef334a20f9efd3a6538db
SHA1f20240d9f618697150e54eef991475dde554b35b
SHA256980652b6eb52d36024bf4a262053641e8cff8a00110267765842fb5d2febca73
SHA51269df1ec0c8dcc19b34a35500137647c75b0148249dd93213a094f4c0903fc3fa84792e29e10385fb5ddbdbd7dff20d4eb0dfd33355d14dec280a4f885f6a1be9
-
Filesize
207B
MD568b3043db1e268ee4859c1d29fb94f3a
SHA12b95569e5f7a1a049536747785f6ace64786b8e8
SHA256272a1585091c9852e7858516af415e1ecbc985c603b3d9e38187a5d4c3ebc53d
SHA512161c97a1cc39f79386f546bfa48a04cf3804d27af866dc553541989c1cc93fe1d192bb652e98d312b9db56680cfdb40957902b3a70f33400ccfe1e58083de1ec
-
Filesize
207B
MD5878582fd4cbd1f9d5a90a0f7a1d01a07
SHA1aef41ffbd4433fef7b97fb4ba3442427e6c7901e
SHA25634f75b071e9af8eb9e865352fe5ec8a60b3a6dc7ed3c1dc7a5d4b04652312034
SHA512662bb4398e4c91b1c5044a0413b13f685107266d703fedd058d623fc8372217d00bf545dd8234e0291bb3f70370703e92a38b4bd7116df29c78f043c50b3049f
-
Filesize
207B
MD55b1bd8490df80f438b4a973e15db2dcb
SHA102220d10b24d9288c2241f7baf5e05264106f129
SHA25642e40144f61c3baf133cfb30e5c56ed0850d005776df01b429db8f126a4c79f8
SHA512ea5d0085918d19a06aae13fbafa3edca5b8ea0dd703eea18c54116270b2c48d65b2dca2d7bcb066c13b9c44586ff8edbfb1239875b086eb94e528c75a668bda2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD554b5e4b9b8d1c548ebccb21fba1cbe29
SHA18f4ce9d2063c3f9b78bc96d87f7e95377e275d94
SHA2565b0c050cd76d3e4acadad81832dfac11088aeda80b412e8717aa0276352514b7
SHA512fc4a2fce81e92a088dbc864b3e9dc32f794482a18b3970cb254a3b081d3ae6e66b4c49f204dc55eff4a595f858e897f9cc164ec69425b13107af37d41f040873
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394