Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:40
Behavioral task
behavioral1
Sample
JaffaCakes118_f2d70afa8bcbb85f7de2887d12890f1ee91a11296ed3311622ac553985a8a566.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f2d70afa8bcbb85f7de2887d12890f1ee91a11296ed3311622ac553985a8a566.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f2d70afa8bcbb85f7de2887d12890f1ee91a11296ed3311622ac553985a8a566.exe
-
Size
1.3MB
-
MD5
dfa9a5d13186a9e34aa781dbb27791de
-
SHA1
007c40298835bcea1d21419a96676264b2fe1d22
-
SHA256
f2d70afa8bcbb85f7de2887d12890f1ee91a11296ed3311622ac553985a8a566
-
SHA512
53443f2aad57dc30362ae9b975de087bb19fa4377a88037d17f4f60110208be7174a9134c2f7e043445472f2636cbb66bf190574a207d02cad692b9f07163982
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2580 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000016aa9-9.dat dcrat behavioral1/memory/2684-13-0x0000000000D80000-0x0000000000E90000-memory.dmp dcrat behavioral1/memory/2936-45-0x0000000000A20000-0x0000000000B30000-memory.dmp dcrat behavioral1/memory/2152-104-0x0000000000F80000-0x0000000001090000-memory.dmp dcrat behavioral1/memory/2568-165-0x0000000001180000-0x0000000001290000-memory.dmp dcrat behavioral1/memory/2960-225-0x00000000012A0000-0x00000000013B0000-memory.dmp dcrat behavioral1/memory/2000-403-0x0000000000150000-0x0000000000260000-memory.dmp dcrat behavioral1/memory/1784-464-0x00000000000A0000-0x00000000001B0000-memory.dmp dcrat behavioral1/memory/1568-524-0x00000000009C0000-0x0000000000AD0000-memory.dmp dcrat behavioral1/memory/2548-584-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/448-645-0x0000000000120000-0x0000000000230000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2276 powershell.exe 2172 powershell.exe 2364 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2684 DllCommonsvc.exe 2936 wininit.exe 2152 wininit.exe 2568 wininit.exe 2960 wininit.exe 628 wininit.exe 2004 wininit.exe 2000 wininit.exe 1784 wininit.exe 1568 wininit.exe 2548 wininit.exe 448 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 2168 cmd.exe 2168 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 36 raw.githubusercontent.com 40 raw.githubusercontent.com 9 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f2d70afa8bcbb85f7de2887d12890f1ee91a11296ed3311622ac553985a8a566.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2272 schtasks.exe 2600 schtasks.exe 2576 schtasks.exe 2664 schtasks.exe 2268 schtasks.exe 2952 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2684 DllCommonsvc.exe 2172 powershell.exe 2276 powershell.exe 2364 powershell.exe 2936 wininit.exe 2152 wininit.exe 2568 wininit.exe 2960 wininit.exe 628 wininit.exe 2004 wininit.exe 2000 wininit.exe 1784 wininit.exe 1568 wininit.exe 2548 wininit.exe 448 wininit.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2684 DllCommonsvc.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 2936 wininit.exe Token: SeDebugPrivilege 2152 wininit.exe Token: SeDebugPrivilege 2568 wininit.exe Token: SeDebugPrivilege 2960 wininit.exe Token: SeDebugPrivilege 628 wininit.exe Token: SeDebugPrivilege 2004 wininit.exe Token: SeDebugPrivilege 2000 wininit.exe Token: SeDebugPrivilege 1784 wininit.exe Token: SeDebugPrivilege 1568 wininit.exe Token: SeDebugPrivilege 2548 wininit.exe Token: SeDebugPrivilege 448 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 644 2312 JaffaCakes118_f2d70afa8bcbb85f7de2887d12890f1ee91a11296ed3311622ac553985a8a566.exe 31 PID 2312 wrote to memory of 644 2312 JaffaCakes118_f2d70afa8bcbb85f7de2887d12890f1ee91a11296ed3311622ac553985a8a566.exe 31 PID 2312 wrote to memory of 644 2312 JaffaCakes118_f2d70afa8bcbb85f7de2887d12890f1ee91a11296ed3311622ac553985a8a566.exe 31 PID 2312 wrote to memory of 644 2312 JaffaCakes118_f2d70afa8bcbb85f7de2887d12890f1ee91a11296ed3311622ac553985a8a566.exe 31 PID 644 wrote to memory of 2168 644 WScript.exe 32 PID 644 wrote to memory of 2168 644 WScript.exe 32 PID 644 wrote to memory of 2168 644 WScript.exe 32 PID 644 wrote to memory of 2168 644 WScript.exe 32 PID 2168 wrote to memory of 2684 2168 cmd.exe 34 PID 2168 wrote to memory of 2684 2168 cmd.exe 34 PID 2168 wrote to memory of 2684 2168 cmd.exe 34 PID 2168 wrote to memory of 2684 2168 cmd.exe 34 PID 2684 wrote to memory of 2364 2684 DllCommonsvc.exe 42 PID 2684 wrote to memory of 2364 2684 DllCommonsvc.exe 42 PID 2684 wrote to memory of 2364 2684 DllCommonsvc.exe 42 PID 2684 wrote to memory of 2172 2684 DllCommonsvc.exe 43 PID 2684 wrote to memory of 2172 2684 DllCommonsvc.exe 43 PID 2684 wrote to memory of 2172 2684 DllCommonsvc.exe 43 PID 2684 wrote to memory of 2276 2684 DllCommonsvc.exe 44 PID 2684 wrote to memory of 2276 2684 DllCommonsvc.exe 44 PID 2684 wrote to memory of 2276 2684 DllCommonsvc.exe 44 PID 2684 wrote to memory of 1936 2684 DllCommonsvc.exe 48 PID 2684 wrote to memory of 1936 2684 DllCommonsvc.exe 48 PID 2684 wrote to memory of 1936 2684 DllCommonsvc.exe 48 PID 1936 wrote to memory of 344 1936 cmd.exe 50 PID 1936 wrote to memory of 344 1936 cmd.exe 50 PID 1936 wrote to memory of 344 1936 cmd.exe 50 PID 1936 wrote to memory of 2936 1936 cmd.exe 51 PID 1936 wrote to memory of 2936 1936 cmd.exe 51 PID 1936 wrote to memory of 2936 1936 cmd.exe 51 PID 2936 wrote to memory of 1556 2936 wininit.exe 52 PID 2936 wrote to memory of 1556 2936 wininit.exe 52 PID 2936 wrote to memory of 1556 2936 wininit.exe 52 PID 1556 wrote to memory of 1548 1556 cmd.exe 54 PID 1556 wrote to memory of 1548 1556 cmd.exe 54 PID 1556 wrote to memory of 1548 1556 cmd.exe 54 PID 1556 wrote to memory of 2152 1556 cmd.exe 55 PID 1556 wrote to memory of 2152 1556 cmd.exe 55 PID 1556 wrote to memory of 2152 1556 cmd.exe 55 PID 2152 wrote to memory of 2636 2152 wininit.exe 56 PID 2152 wrote to memory of 2636 2152 wininit.exe 56 PID 2152 wrote to memory of 2636 2152 wininit.exe 56 PID 2636 wrote to memory of 2812 2636 cmd.exe 58 PID 2636 wrote to memory of 2812 2636 cmd.exe 58 PID 2636 wrote to memory of 2812 2636 cmd.exe 58 PID 2636 wrote to memory of 2568 2636 cmd.exe 59 PID 2636 wrote to memory of 2568 2636 cmd.exe 59 PID 2636 wrote to memory of 2568 2636 cmd.exe 59 PID 2568 wrote to memory of 1640 2568 wininit.exe 60 PID 2568 wrote to memory of 1640 2568 wininit.exe 60 PID 2568 wrote to memory of 1640 2568 wininit.exe 60 PID 1640 wrote to memory of 760 1640 cmd.exe 62 PID 1640 wrote to memory of 760 1640 cmd.exe 62 PID 1640 wrote to memory of 760 1640 cmd.exe 62 PID 1640 wrote to memory of 2960 1640 cmd.exe 63 PID 1640 wrote to memory of 2960 1640 cmd.exe 63 PID 1640 wrote to memory of 2960 1640 cmd.exe 63 PID 2960 wrote to memory of 328 2960 wininit.exe 64 PID 2960 wrote to memory of 328 2960 wininit.exe 64 PID 2960 wrote to memory of 328 2960 wininit.exe 64 PID 328 wrote to memory of 1716 328 cmd.exe 66 PID 328 wrote to memory of 1716 328 cmd.exe 66 PID 328 wrote to memory of 1716 328 cmd.exe 66 PID 328 wrote to memory of 628 328 cmd.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f2d70afa8bcbb85f7de2887d12890f1ee91a11296ed3311622ac553985a8a566.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f2d70afa8bcbb85f7de2887d12890f1ee91a11296ed3311622ac553985a8a566.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jj5vXeamkL.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:344
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1548
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2812
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:760
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1716
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"15⤵PID:2256
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1200
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"17⤵PID:1912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1880
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"19⤵PID:1796
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2688
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"21⤵PID:880
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1520
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat"23⤵PID:2752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2644
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"25⤵PID:2640
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2212
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2pbp0wsTa1.bat"27⤵PID:2296
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5429d929264ce4126f37ea6103844a876
SHA1064b879e6723a3e3a4028e21309cae9762761181
SHA2564cde9c0223d65b8b888e7a5386b12a70ae4618a4b7764880b01a7c4f714740d3
SHA512de9711a0b936e164982a4d3d816ad52ada52fdea19cc392b5741c13d40accca0d4fd7edaa81c7d757a42bcbd5d4ce62a3408817d7303a7155a03a2767a1732f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD514beb0b057206e39a0370cd5fad6122e
SHA11bc69c87108b6ef8c45f75a056128be1996ae041
SHA2560cd7bbad24971ceaa1c8efdb5359af5668b1ab8e39653891227fcd0f7ac295c2
SHA5122ca22a3977f69f1b3b8c1417554bf913f862163f2b02ee41444aa63b24cd34bdeef0ade7e83af5023616f3a4b2c0120289b5b083ad022b3527cdfd2cefd6375c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c345cea1801339bdd525b428732f20a1
SHA186def8ac3f21673baba1271fe3df7bee3394677c
SHA2560de9adcfbd1bbab710a9c6d7045d74d90cb688382daa3e9e5aa5f5cc0731f415
SHA512d2353eb3a9d26344bff200727c58d2d4041ce067124284041f137676146925a6f22d48f38bf28230dfc5e713476d86fed058e54cc40582355d1e2528907c0499
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD581abcc6a59e8181e3167acee2af2be84
SHA11a4cfe8aeedcf1ba6988f8faeac55e236bdcb3ab
SHA25670c1b9a7c0eda3f58f89d429837d9e7d9b15505f7b4831fc225eddd2d08b7891
SHA512a8b8544d1594f86f8bb8375e8543c60a8db455847edca91f43afbe44cf21a8fc3ddf2531fcc85d055772c71fae69cc6bc9d8dcd2418de38ff3db03100362b773
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD590b52bf07baf10c7959019d573658cdf
SHA1b6a90068b52ba2c6ab3f2a021975de33d4bc8530
SHA256a76ca2dd5428de9f9a155078755847ff8a2ce8a5ebbcc64a906cb4927e1f6155
SHA51274ff1074b8fe7ba7e3444c9cd30350599d6c0508a0a1fd1fa9731c016957d33208f3133b88f293f9fa41aee1384bfbb00249ad1c7fc572a1945dbbdb023082cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54cf24f4b10139dc51d8ab7f0cf1bb9d5
SHA140359e4aa38af141506494b42ec31c48164825fa
SHA25607d7b0d3dd9272873f5e1030ae7f1076c0a5fb84bc578a8a4afdcff06b2c7ce3
SHA512619f5b510f3055b969f2dd59c971149b240d1e902bdb36365b37feeab34fcbe6c48580d4b78551dcaecf443d6f016ed83e1d3ef1fbecc19659a2c1d948efd0d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5acea4c0b33edd967efc98af62198c6a1
SHA188b56fdc22b22fb9bacc538b9ed4daf27adb15c5
SHA256338477eeae7de19405a7561090e12e2d9c8ad2b38888af4c2289c37360604b70
SHA51294a021948d5ee8be9a0ff41b589d606c13fc431fd2153ca49136cc8c665a2e0f2120869ee54ad4f6cad8a7b0e6710afd0a58a6a018a57daf35cb1bcb7ccb0337
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58d36b1d4044c9801de7a6f9b2ad873f4
SHA1e1b660de5f56627d546b1bb987d0f98e80cdfa2b
SHA256311fecb4a6ac7067c4c90300e9add51b3fef83cb672e192cccadaadfdccbccce
SHA51252f20031a1f7de924a962a3372846f2570cfef3ee874708fd7c23df60a5951b7ffbc8688b10c72a498f563c25e279a8c9f459a9174c2134df5b577bd7ebd5dd3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f8deeff7a0bb7166afab3efdc28a6be5
SHA1938d658fa2d92e70a060dd6046346e3091777fda
SHA256718e6c198110af557fa2c216ec231655b66cae7cfde93f75c189e691584af9de
SHA5123c2bc441a7d66187895479de083988323343b94684d645429d40f9d503ce095f7aa1faffb6f1ffeb6a90cdce74328ab9cc95681ee432d1b97b87f8a63dda1923
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5017f6fdf690f06bf60c272df0c2a3390
SHA1093314ab1e0288b7577301d815f94b5248ded9a2
SHA256f83fd08e7521e825cc7c265bcb0eba04e4d4d836f2420df9461a70c48edadf85
SHA512d6b95fb0f80921164f8b81b40a6821dcbe5c032595dadf984c840742b0b57678d98171eb491e4d33fb4ca29dd1163e3283c0a468c25cc4691fca649c4b18e744
-
Filesize
225B
MD54f3314d441cb9b87c6d7239e226f271b
SHA1a066296d64d51b3f7ebfb45538132fea4402b910
SHA256f646ef6ba3482eede42787ca25e30d1f362496aebde8ff416e9cbcc7f8cfb118
SHA512877b8521f3f5a0994060b6dbff2d74c25d00f1f4bb722173ff456fe2fa53d4224fcf45bd22dd05927a50822681c77bd115d469be859d73a0c9a03cc975f498b1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD5e3b62f0866ad8b9ee15136a0961b3897
SHA1bf66cfd9b2bd526d3eb810aa7255f91c2554f3e4
SHA2567306b5f3f979fbc1aaf3e7e9a84fcec2785ce165db6e69123209adb721e8c239
SHA5123af51022d1af83cdd02cf2ebb33ee372495393c881ec6f66b26cd1cdeaea10659893c025c6f7f56387ca7ad12d2c54a082ea838223f19b736c726145690ceb1b
-
Filesize
225B
MD5ef35b614b5613385304d139b4843fbca
SHA1a37e0fa59fec29008c47710eb0a5cbca3dbf6ef8
SHA256dd40c7085825866cf1843af5fb5f62b593f15db8d9cac503cff2ddabdc7028ce
SHA512e93d1633237b46344f707eda3e30692b08632bdfee0d854a255a3978a9b73964ef5c9205c9aea6d28b14a10fe760685a1bca318196424b863bc9e1894f5abbfa
-
Filesize
225B
MD5108fe75dd60248be761a42fa98cced6f
SHA1c5aa97668d58da335e2c923c425fd5864d8f448b
SHA256b14b1d28e30ca0f1657c84e9dc249a258ef1eae0c83d2f8a9ad21a1e7ca200cc
SHA512fec9d096a6795f3c5fa03cf04cb3dc27a707c02a1764bb962a7aa07ddbe83e499f4f473ead032fa37a960b53fbb814ea5f6e1e609137d5b3eb62adc911d06dad
-
Filesize
225B
MD55c3ebb7ff3738c2fbcde17d50e2bc81c
SHA1a4ec364ce7d1c34319618fba2cc298eb771a7d06
SHA2569c08ad5e05661330fb170cdb84643c96f29101e85d58280c15441ab373d70550
SHA512718e268ebb26aef220219693d4ac958caaeb20062b62e76e50084f36c91b564ed0e7d88257bed20cbc58c6a4464746d1199579a05a09f371b6a489ec79e0bd93
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD575fa6581ff5dc1123a2651bc9a406c63
SHA103880de17bdda5884e57ac403128e550093061db
SHA256aa0c6adf501e7cebb07a0fd96dacebc9f915cf63716881b54ded972ffc2711fc
SHA512da66344ba54c05953a3ac7327e2379f1281811e2d896b2e212a9373841543fb1a2850cdd22ef7d7498146b6dedc8c36e4757a933500addd11d8b26aa078eb044
-
Filesize
225B
MD5a3c707e4234815df153ca251d4d5a6a1
SHA1387c0fc6c90a319b11957fd3163502ccaf261a9f
SHA256b52a8a476319182d693935c213b440d3a9a407f43fbc0b7305ae74c35b0ab096
SHA512be5edd7609c4618de74e61c48285d42c06e7b4e51f0b3453eadbd066b3ed1e2ec93f181865e54a5284e1356e613bfd0efb69580711902a8e9d63c5318feda2c8
-
Filesize
225B
MD5263dcdf4d9dc2dd7bd83340e4d6352d9
SHA1a558860d8314dd636104ead72ccd8f5a04e050e3
SHA2568bb15a8937d699e83533bb43582e49333941f61e985e4190e552fe243d785589
SHA512ce66d40dcc725af10421a239f36622b1ae268e6ea2bbf78f751f062f293d93ba7fd89962c68b8e6c29deaf3b2d90d41fd9254832d191da3d666bce92ccf5065c
-
Filesize
225B
MD57c175bbe637d4d6464f104f7f230e4d6
SHA101320e9c4721362ca9ac51e2199c2b9120e5d9ea
SHA2562e09346bb3c47603e14374279d2c53e182447ca353c2ac54547cdefd6da2fac2
SHA5127f6d2880efe7cff9fb5a8514757de7367df466d02da9d589ab2f34ac85ada3a8ae448f25ca63ec56dba289e710a7a9ea975423a5ea39b5f575507316bac38908
-
Filesize
225B
MD5ca0b8a18f6e7e64472a7ed189500d290
SHA15b4da5a1b964cd03e232242ec57992e8586e7e15
SHA2564a29e9ed90c899040221699c9c62b64413f965bf00953cf2f6dfa5cd544b03e6
SHA512510aac0d61437553648b9e77c0095b01a32785cb409dd6627fe08affdb0c601ba1ff495c6917544b50275a93769d20908e32a08137ef513fe7ef32ca672a75cd
-
Filesize
225B
MD52013c560ac9fa1fceb7bf1bbf04adbc7
SHA1bd64b4d3f4c5a9efbef5c2971abb2b1b2805d164
SHA2569816b04d8d6060d8876c3aee66b2a74bcde4fd20c9971c7929f2dd8fb8744d12
SHA51293de2c76e647aafc73237526e90ea38d25d5f4a915409aa15120d4999d4156938946bde096d0d848280bc6bc234528f4b9ab4694f6ebda5d5a7dff079c7f1f6d
-
Filesize
225B
MD5f9dbbef0d7f9a060ddf26f584891c41e
SHA1a10bb3363c4edbc33868afbc8fc7719604f6e5e1
SHA256db0907d4d45b6ff70a0e51764a31ebd50775826734e0074e7b918bd423bcd890
SHA5122cb3515ff722e0c498814c4a925ec8daef4862bc15892cbe7f91269d22961432e62a566fc1db6d0ed4d86eec0792f7ca98050a7caf4751a1373617bc3d239589
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50732c723853adeaf8600d33e27acbd64
SHA1f4734db12d49a1c0e8ae6acbf6f47cecd4347224
SHA2560a1bbc1405dabb14aeb6c85405bfa9b138e8e642e998c297b6b641fa83050645
SHA51221cb83f823e80cc975438f4d15ba14678826873844326fd93e1012c097aa8eaafac3b7613b79c6eebe1e7c72c5c95ad5404228a0f0c0b96474e037e7954bbc21
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394