Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-12-2024 18:25
General
-
Target
JaffaCakes118_57ead80eb0d5a40d3f5d02e6b158ff015ab2b0b7ad2d75c03f5c83debb68d4f4.exe
-
Size
1.3MB
-
MD5
f07cef8d89eddbce1dc3336f6a762dd0
-
SHA1
f513f06d0a505f8323d1309d4c974708167c3330
-
SHA256
57ead80eb0d5a40d3f5d02e6b158ff015ab2b0b7ad2d75c03f5c83debb68d4f4
-
SHA512
012669033bf79a23444af70ccc65f01c6eb0ddde59d70a1a080cd5f53da3d9c3d9b0eaa9f212884b46576e75f784ad0c11f1da33b451379ceca9440039e97d74
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57ead80eb0d5a40d3f5d02e6b158ff015ab2b0b7ad2d75c03f5c83debb68d4f4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57ead80eb0d5a40d3f5d02e6b158ff015ab2b0b7ad2d75c03f5c83debb68d4f4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4HzUfVZbmx.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OS3CX563UF.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat"24⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵
-
-
C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"26⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵
-
-
C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"28⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\es-ES\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5b872020b108390e9e886f425869a59d7
SHA1887b3a23e840891f4a0ebd3b5302008c24a2cc5a
SHA2564939bb9a0d4fb6defd616aa39e6c5c6df8dd981d7ba2417616fb2a5c5cf1b5eb
SHA512b39212caf1e6e8cc0f5153d034d54f34d8eda572dad2d82da84d04581de8b0220ef6b058c8e427089ebeee2656c7560f9bece8747b95946da2bc9e3584fc430e
-
Filesize
342B
MD50cf08d8db9a5f8102480f40d9c4ef2f5
SHA12916eab733216cc87934570168b7e848f176fc84
SHA2566488e28acbd7eda1c7de73d9564309d3ed4eeb1c479b14805d8a25672b7496ed
SHA51296d93ad45eec0f73a82a6d82045c2bb84b65b66a68e51ea21b4e52850dd39ce4a18e7c0ba90cd5f2ebdb394e64b7c1b7eb8c0a0df1237c42b386c500e062cad7
-
Filesize
342B
MD5437a3264dc21955232c9bca8c3d6ecf1
SHA1390ed283eb0773585bc5987a6626d20995db62f7
SHA25682a10b489300206319d798de6fd19422a34a9058cd26a865390a1ea00e20bbbe
SHA51239b9f0ebeccfd8a9700299bea3d8d0dbd043d7fcbb0e91099b668c54caab805de2fdd70f6a687d8c7f34bd99ee57496893f00e699c0305c3f5ae18c9ae820de2
-
Filesize
342B
MD5787fe511747c6e16e283bbc99700035c
SHA178a16a16e8ca49c21109dd3ffdca9b58ca1377a7
SHA256283bd388b976a74c368b11686874d1403f3f39433a913942da5ef417e993e5d2
SHA51280ca750ea0acfe4ca98870502042b43dea6795920e7e92e1e0d0f28f1e30419dfc337d5a4c542b7c20e863f05133ea7723fd8d47b7cafa7db0360af43729e771
-
Filesize
342B
MD57a8b384e8d7cc42cb019f5ebcaf899d3
SHA1dd002dead2a176cb0c696d3ceb7d423e6469c674
SHA256f6e3cc9872c09cc152fcbc43ba5a4a861994a8c339cfae28360ecdd5813bc008
SHA5129da54b07547b24a9152a80abfbfee60effaa9066e3af7b7d880eae0a760a19bb9e58a0064e55aff0430aef3bd5969ee9bc7d7204fd779a2820bc0cb00c2a39e1
-
Filesize
342B
MD53174412f72e6139cbf880a6d04c0b3e4
SHA14ef88794e0c40dd08aea626a6c05acce4570203b
SHA256d45b475adfdd071d22801f44811362a6be3c178b8e9af9b3392cfbfd4d65a0e4
SHA512677eb1a505f666bcd6e08b793a9af1da54b5ef0d90064da98bb88ddad83bc6692c17236cc2523bf3b16eccf44b25f409df229e257857e4d7c461702506a985ab
-
Filesize
342B
MD5a89bc84ad22fb32597bbf79ba681bde1
SHA1924e59701e98b61b2ea9520f4e623046fa936890
SHA256e6d34ca83495d409539660e962e7cd84e9145dec190cdd640ada47e1b2356efd
SHA512370ce93b5367a6a3ec9a0adcfe95ca32ce4bf9ba05ae9ff5f91f889e14323978c9bd4655ec3b255517593d4ee25521115d4db86f6c1f13cdf47e7607fb8d6189
-
Filesize
342B
MD57440851dee6f25daf571dd3906b17f0d
SHA192c7ea70fa365a1254ce7029e025b183ee8bf484
SHA2562245dd9988daeb6d97578ded4b920ac8d7d93497d8230b9f72aaefd21d307d7d
SHA512ec23aec1454674d961e5b9dba4aa29f20b4f42c434d66a56cac3bb3c92e9bb133c07f43b46dd4eeee5178e617300c9ece2b017abe7b77da678242b251e150021
-
Filesize
342B
MD58925ce31244857daabae83c4c7fdab08
SHA17ac41042fa9d39bfe024ceeff2ad6110263f1e62
SHA2561d6436159613a930224b46a27d1129be57d1af3b6ad5d34fc3266b4acaab598b
SHA512c61998698ce38de4c0d26ef06df49aa4e46a8fbd3788ed2e6127078fb658a13a2e1d6ed5776ac2e0b5a2da078d132921d7eee6937728321c4b85777fcc8aeba8
-
Filesize
342B
MD58ab623917d3d4347d97c489458607107
SHA1e5defd286cfd975960af8ae059f33fff5bd04900
SHA2563fdfce15910cd1b1d37536f49ff05a40fc60797660b56acb0fa47b5316ca9d10
SHA5123b17cf6ee75794bae011f3f0e0b3dc3d23b9a41a028d6971fddb8faf717dece043007cc00ce9df7115562a4948bfb27339d5a24c452af366072016daf52b69d4
-
Filesize
215B
MD5b69c59a403882ad547488bc13486440e
SHA154a9a3e97381a9b39f7f82144cf4182078c21ff2
SHA256247d43a026cf96b66a2c335980ae58aa441b292cbfad394dddcf994cfacee08d
SHA51260724b7fb57e24ea3b45235cbde387a0d4f7761b7ddd678f89ef5446d0b74735c77172ab5a1134ac9a18c34e8bec56882695754adfc9d1b9857565c2a6aa64d8
-
Filesize
199B
MD50eaa96ff1f5384bfeb0771fc8bb0add1
SHA197ee41ca43c6e53a45d14a715716e3e1cbc74133
SHA25616aeaf461964f757ed07ce0733c7d05d2947fbb782a71b6c145655a23ff7549b
SHA51223d18f6440bfa638eb8fe8485796d52fb69a34b57255abb89270fd2d6548e1439a79a5b166fa72d3301b5c4c7f436774f4941059a2bfaa18b7c9297f58517676
-
Filesize
215B
MD5590940e3d50c0ff5fba8502cbf9a850e
SHA12b6dd215b989fb24d36c13efb2bc19d47f48c1e9
SHA256c8625195e4c8c001f742bddd636adfd418062d90ecf4d0544815f5ad164b7c8c
SHA512ddfaafd382de30764e921a860545182f2b30cb53f7ea2ead38bf07c9187ff011b41bd3bfbb48995f02a91a6bbcee8b02d857b55ebed83504dc5f97072773f857
-
Filesize
215B
MD5a518d857dd00ad476f73811edd8cbefe
SHA13d9aee91509b32525239a22d1d476baad92a5770
SHA256e26836541c010ba93ab1ebd36523224cd026685aa14397d679dc48c454dadaeb
SHA512e155334eebfc341bd42bf6128bde9fe517a1a2d95d5cb9e28ce80630470d1787fa19644a7d9265ce5dfe6d0600615ae17bd4a3d7541c53cd9fc22a61ae9e9274
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
215B
MD5b839d82af65b1b61d176fb8624656fce
SHA1082b553a7932322a1dc53974b6525037dd919251
SHA256c0e1659483a6a764f24064374d8edee342c1a7df6a1f000e44e84e8f606e248c
SHA512f3aeb1bf9802d26625486113e5b2268d6be8732a3f443637e95aa952108f08aefac107406f2ec3488e4bc4ef0a360fc39418eba176e92e8e8bc3c31a37f880eb
-
Filesize
215B
MD5e8bfb33384bed38c2dda27b014a0ecd5
SHA156a7d618d92c5ecd65a9973539d1f089b2f0ece2
SHA256f069505d9b51655656cbbeab4a542b91c1aed60bd20d6ef1c18dc3f9029e6d4e
SHA512c7fb192b6421c3a982a21770641029b38a5abeef2b65a6d754dd025e15617de7e34ec2342a4ab5c1147f3f733f270a1e116ca5f821cff9081282295a5318af0b
-
Filesize
215B
MD5208708fd6077e1ebbee0fe6dc70d10ff
SHA1936a6fea8b11fdb4ab0e2f49b0274c642e33a251
SHA25619f0e01f93e569324de8d0b0379c5ece39463691f241460c18964846e62d9ac2
SHA51200bdd6acd8ad94f9ede95caa7d6b4b968497a8e4676232ad0f641bf49e63556c3eea25d9df812f108bcfc365bd5aa36d4604bb853f53e76b32c9f9bfad2c7a83
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
215B
MD5cb22ffc3999c31887ee075e6def9cf45
SHA1859429975668646dcdfe9a5454c2c1edcb356571
SHA25644595b2e2d23131293a8793d629649a04dbfe979e8cad9493417d41584dbea53
SHA512dccc06fd8fca92fe21dbcb772fe28aeefa9c18439ba6b2137fc1f9eadc072e372a7997ab06996709fdc590c6948559600ef6126692b94b04660bd9286f35bd98
-
Filesize
215B
MD5c06f0a15074dd76651766f17a056b7fa
SHA164100a97c3f70d3a975670d6f08fce2be5857603
SHA25600762727554d334b1c804447e3c526c94d56b97c7139a8b5c9082db9080b2350
SHA5124df24ae7925695693585ad77b2a2c313b470bda309502864b1856110819b9565a6957d224e3e3446ac70ea62edbc8f15120187333dcbbc6e3621b1779596b04b
-
Filesize
215B
MD522eefcb2db8fcf39aeb52a4885a798b1
SHA12a4b5e9c1a0656e4c6e0cb7e9285bd1ca26e9071
SHA25639e3bf01242d7db68c70afbc5535f62385b4d0361191f9650958973aaa56e307
SHA512cd7647dba74cb404188cfbe5d25b613772fd4fa5579d17f14ad00f53c0ad7b2c292eefd312add82d525ca44b5b2261a12a30c5473a37d6cbaac05322b57faf4f
-
Filesize
215B
MD54143d24bb9e388e2f0fd836ba2ba0350
SHA1daf3d9be78ae664bcd179ca1bf3a84261ab56a7e
SHA256dad3e501950dc712f6160e4f9a9f7d9393126352c92d72d0f473313017c0bed4
SHA5126b6dc424ef27554faec540a9a24be188a2955d589c2a641515f924311e2330f8de18d8e05305c1310b288613ce8a829684608e25e79d84e8728166ddb5cb7b5d
-
Filesize
215B
MD5e8e8968bd18e7b7c504d21407638ae88
SHA1ed05c7af0d0ed475a4e8064a2a701fd1caa75a52
SHA2564105f88c3f3b9bb147de202852b5cbe8c462bb7af6a4147f96065a62897e37b3
SHA512981eedd8047fa2248716c6160d28f083733fb3e4424d2abf1418d9bd0f4f966141433fffe60b72f25293906316a555012ab45c0001a1a3caab814d0071e94694
-
Filesize
7KB
MD5d3b58d7358ee9e2dd5f1e57b5ceab4dc
SHA1a6fd3f80ed1bc58004d6b5077f31043760836821
SHA25667c90c11061c0c7c19109055d90b8ac7b164ed1cb1867112ba0d336f4ac40891
SHA51292f6a0f50d3cd90d4d7b18ecaace2f289905232611220766e0412855d4e2f10835edd976f641020219b0bad587d8fa49191eb90dfac5127acb0d6497293c8997
-
Filesize
7KB
MD5b6604720e5b1cfafa09072340861bed6
SHA1522f6038bc4fdba597d6fbf3814ca58380f7ce08
SHA2560cc2a1b55aa50dff3b479fda17d849b7749d7bb02af9ca328f0732550cb62c5b
SHA5121de5d5db30ac66261fa7ee9d579bce30e24684f2f5041a7c3cde63e18ef0cc6eaee7271ccbd729c763158e13c75c0e972b1b56b8d99837a1e1093dfb87d93cc7
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
2.9MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB