Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-12-2024 18:28
General
-
Target
JaffaCakes118_efe572ee34f8a6aad46980090b615c188de9921e335d2124a4912bf4cc94500e.exe
-
Size
1.3MB
-
MD5
1eaf4824a0ff1ce7483580da62ffddf0
-
SHA1
8c349e58038ac86d53901b0eaef9adf8ca3d45f3
-
SHA256
efe572ee34f8a6aad46980090b615c188de9921e335d2124a4912bf4cc94500e
-
SHA512
31d0a5191b78e12c02d5a9e70e0fcf780e8c9772537938471a9478fb87d2c9c8106009c3396965b653ef83d95c5b3ce5fdc6144cc8a817216c4fb56ea7a30f09
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 11 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_efe572ee34f8a6aad46980090b615c188de9921e335d2124a4912bf4cc94500e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_efe572ee34f8a6aad46980090b615c188de9921e335d2124a4912bf4cc94500e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KC4nnSWOK3.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"9⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat"11⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"13⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"15⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat"17⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\inf\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\inf\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5823690724c5649437fb8bcc20a415c2b
SHA1cc05c6f286de31e4a44a459d73f42bf4d4da7563
SHA256e95fd388d1f4d5895e9a73052015b3c7971daf52efa53b68bf88a3f780094737
SHA512181327dfde8b7ddb3d96c3945e65c2e9d912ddd2b091336e8ceb1d5261d4c9e48c8809502ba94093da98d685cfef666dd0d682fbb9bd08f8ab89dbdb3a22bd07
-
Filesize
342B
MD524d3e7ade5eb9bbdeb753dc9abdeaba4
SHA1b3bfbbf848306182a2bd136a14a03a3e35ea6f72
SHA25627af7aef9c5914b6b2fec5c6c571c6d20252f28025411f0a1cbdb7c7d210dd93
SHA5125d091dc2e0e12c86df08fae3d07748ea3af23e1c413bca524a2123cd446374f54d138d93b121a8109ce8e2a836a99820a2fe33acfb1612afcb58c5633bb6bad6
-
Filesize
342B
MD5c9f83b9987164ceb79ebb41a7ee54261
SHA177d5d335a1809781c7d82b92a81a5fd4238fcf64
SHA25657b6ec445d950324ca15a5cc4532c85ef421c53844ff33da7981bebe03bfc992
SHA512926226374784211ff390e8872aec80e48daabd57cf9fd475a1168ca0c5cf9a327331152172863efe7d3c3cd760adc14584d267b36c515940883bbb7ea8367839
-
Filesize
342B
MD5aab5168858290581b1ae203c76b901f8
SHA156e82c88d32f41cd467a733403ad6e958754c1a9
SHA25639134b237a0ae98a2b6af277b0c1a57850b1367376dd9a90aeec170f11816a1e
SHA5126b60bf1ce89af566b24878fe7aa66ab973cf12d199645ad7b6bb1c533c508771d6944ee6d9040e7768406bde84a4194b6e10a3fe8c9f7a332737ca9a1ddbbcd7
-
Filesize
342B
MD5d3fd0b310750caa9d1a5fa9b2cf182b4
SHA1c1cc94e3589f66491e14b6d21f53415e4c243252
SHA256843ec727bb87b4c5f6cf2fa6c2643be5a875d85cccd335e9fb9a1d6a3e0f18af
SHA5120f881d2faa28bdbaea7d70293413a75b51dad03ad9eb6978fc53029a65e6b06fbbbb908fffa41a5eb0557187b3ca556767770a2414501f8cc1019b1ce435855c
-
Filesize
342B
MD5e4fe85ae70dc0fac4bd333786e3dd1d1
SHA142b5a78e7ced2184795dd996d657bc8cd885806e
SHA256963140326bb218f8d990e3282936cb50c055e4fe4638b7b3d61e66c58da93ea8
SHA512585fa96fdd6d857a679766c364c2d893c9cc0cfe05d2f98ea2fce7df624dc5260b3879f3248e8ecac4f90b84ef3926f3a1ebc934acf18a91227e289bdca8338c
-
Filesize
342B
MD51915d7686b740adc244fe79c820f3896
SHA10ff9a8a1d0016e0e7057f59dffb2605bef14929f
SHA25626e6a898a3566366d3e4a5e05d3b4ce5e7a382c6710d6920cbe452e54f17b438
SHA5126689bc4c5928018b343fe856cf56a6328f6d56b06a0edf491ba7a8c1f7721eb03ec6fe1a91b154f6553261cd44c68122d7f932773c885e6728609632365feca1
-
Filesize
342B
MD545c877efd941cad51b9db6220341dcb8
SHA10d6a39a4e7e0f3505a88ee2afbd85c75ccde426c
SHA256a1a6ac5f54185ba0e63202b30fbb65c7083ac44c6f94779613341e59ef17655b
SHA512e3050f4ecb6caf19bb956d721c75c6f6d39bf87fcf96d5590597f8f2eb3e9a7fe0c6371483263fece02db830e244a1cd0cabaa666d3be8365df13210769cac2b
-
Filesize
342B
MD59edc573f973496b64438634b3e7da4b4
SHA1aeb605029c963e4b62f9518568fa0935f1d5bb64
SHA256a6f06deec42320fcedf45594169114c5ac30815659de5b91212ae4c18f22ce12
SHA51208f42f511d6ef0a2aed0d5e09621449847ff7218cb2c4855a5d8fade5a1a08bf687ebcbe76dc17c145ee75103703070601b34c6da964a0c22f01ef0b7fe0e1f7
-
Filesize
240B
MD5d051b0f48fb669659d4aca5147aca1a6
SHA1f3cfd83bb67e440c07e0087e835cb854b887d0e0
SHA256bda9115cc8094d14083599aa599000e2938cbbb8e139001c95e204f2dedacd41
SHA512940c4216d8f68a0cf24891b76fb1955f3cd094ad0f1b15b2c6af8d240b85c238739348d16ed97d9ed3c0ddd21d0e511c85a7db8c984d00549b6f87ea388ffc83
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
240B
MD5018ad0ac4864a03d3de2d04650f83cfb
SHA13373671f390e84760d3f76fec584fcbf72636d1c
SHA2560e5a645af67d6f3b48e16acbc99429e1e55bfd76ddbfcd1620f971ce7baffba2
SHA51251491d23580dee1f9c32ae742cf7c0d69b0c2d36b825b7e57caf23ce47551d6a8d369ba50cdd2b797c5ac3915bc5e22bec9499959085db25c66eff654dc9752c
-
Filesize
240B
MD52a923403ade363cb9146eb0fd20fe6e1
SHA138da5c0799e2cbb3b95a41df807b4621ed22f285
SHA25625fb8a8b9a9ece87d438a27f95e0afd4b468d52cccd82a51b6e103c3ee92fb00
SHA512dcc7765cac2919ef960e5c55caab709987929287ae665a3166447819efa239735ff770e85e245beaf324fe27ac6ef7a9046bc76bdb8af45b115aaa29bc4ad433
-
Filesize
240B
MD59f41b53fc6c20c1f685040091be47c81
SHA1af59feeff4bc05d64059a71a71042b0520177232
SHA256d5769ca818d6a4c3db4c27dc1b59e7ecd02e16d0504d07727e4616395f64d521
SHA512f8977e96337d956d64d42433e853845338815c90467e8859803be578b8947dfad680cec7dff763478bfc1239058d59b8e70b7d7ba8398da2fbb88b90d87c5da0
-
Filesize
240B
MD5f690f7078eddf21834095aa4eeeff20f
SHA1f581e67d6676dfe21931bbc50f086ff7bd938550
SHA25637d6e5ddb3fd24382a3dbc04d417ed68bcc2a1bdb357b3caa804bc7e18f2c48a
SHA512c19adac125406c464459804cd9b3be1db2ecd71d562f57cd18aa6fd488f3b3359d994837c7472e239d0e91dcb8dabd7f1b0e1d51e6f34b2e433f53ab82bc0e11
-
Filesize
240B
MD53d10ba52d31afee79aa83557e6acb8f6
SHA1b00b4d34e30ab5b2145f41df30db1a93675c7801
SHA2562ed5071206904c926ad9eafdec19873128ea5d76fd8267e6f024378303d7093b
SHA512dd80fac009e790071f298953dddad2fd901fa128469b5f043d9c346abe585a647ee137908bfd6639f03d91acf44c627d3daebaa183ffacbf2408358edf647efd
-
Filesize
240B
MD57ee2104e3112fb172d80405e73062cc5
SHA126f6f578bd250d49b0b8f14f8160c8460acb4dbc
SHA256aedfcf78adcd99f7f440fdae6b032b13f8f1fa0a4ba961c52c2606128c0c7775
SHA51290b969a98d6adeeee3ead56c0f28a3ee833e09974ae0f6be22c2ab425b3e9bab575ade1bef79b284133d3c0f0e4666e44c286a3dee662091e91cbf738d4b68fc
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
240B
MD5f5ecceb42261ed8af72f378229df2ccd
SHA1833a94328c68c99e6f301cd53d850f8d3e66494f
SHA256481f7ed4fd5b03cd80395087a4fac2f87e2dfd7b2ae55b4f6076c650d55434e5
SHA51214ebc863202a7ca8c4db3e08b42f628a213b0f7495ad2c0422695521367d1a79acfe5c164b916421bc7eed4cab38ae9501665338920f745e16722520886fd7c3
-
Filesize
240B
MD59ac8dcf96d6c5bf8e69ce9e26b7742b9
SHA1842f6dd9bdfeacd3f06cb12e1c551205cd9b7ea9
SHA256d978755962a49517176686c28bd57e06bc700358c4fd10bf87899dd6842c8dbd
SHA512d2ca6f386f172f3357ed040932537221eec87271fc70c6b35d36dd93c236952cb5c49ea43bf8a7f33c9271719b2951fa54e4615623a8f997eec9862d8538ea7e
-
Filesize
240B
MD51790779658414b5bad0a77c8159ceae1
SHA1d9c172fc0d45a49f4a9f1823b21f03093c234c2b
SHA25693a616b04efbcaed9f9052d437bb8677a3bbc04fe8ba447a7f9c995f430bcaa1
SHA512e8f25284bc1c804f8641031a85840026105d8ecd0b14037bb570a6d62486d7587b4c17acd0abd9def0cc60a12084fdfbf64f60215a8881c392527c7889636e76
-
Filesize
240B
MD58bab1863ba1c6664684d6b31e27a2bf1
SHA1b4d00f690f43fd1454cc17cf70120cbe3560cf30
SHA25634c20ce7eaf34b9e4471ccc928b7ebdc741b4dfa342e76db2e400095bd79cc5a
SHA512ec8b31c86368729c3ef98855716388c88c57c1190bc3ca536acc9a46172871631951f955fec76c426ff97007211f521b3f8cc19a18aed29e13909c7d005be686
-
Filesize
7KB
MD5bb862496d405a216f7b49f23afb98be0
SHA15bf7bd1cd788b948e257459593771243fb5f5d1b
SHA25621c58645211763be3b1546f3f876fb15ef74726ab1330b0798e919a112a958c4
SHA512a9cc81eec8ac20cd0be8eb1bce765698db1db155d83d4c57f8ad5c14e6952486bef061b98e8b7001f162938848bc28e0f903f573cd501ab6754c3d2b499ec542
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB