Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-12-2024 00:24
General
-
Target
JaffaCakes118_d91238b4e363c8213cce8303a78d9d0670d3cc544264c70c285dcd656c960e08.exe
-
Size
1.3MB
-
MD5
c35463964e2c878c6e82ad5a3cac452d
-
SHA1
60105fc4449526aedc476da0961f6754316ce16b
-
SHA256
d91238b4e363c8213cce8303a78d9d0670d3cc544264c70c285dcd656c960e08
-
SHA512
4631e764b04cd4374def1aa9c85de2e156270f3dcb8fb726d823232c9c2571fbaaaac8b79d61c382d5a9dd754737522953089fad7b2d410c1bf38de84837c284
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 13 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d91238b4e363c8213cce8303a78d9d0670d3cc544264c70c285dcd656c960e08.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d91238b4e363c8213cce8303a78d9d0670d3cc544264c70c285dcd656c960e08.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\es-ES\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XlxSCVjZUU.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"7⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"9⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"11⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"13⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"15⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"17⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"27⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Reports\es-ES\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\es-ES\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Reports\es-ES\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\Cookies\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Documents\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD565f3ac0bb6bb32db677e8bbf644aecdc
SHA1d5528c69c17611ee1c8ca51bfd59f02c2d4295e1
SHA2561f5e290bc0f503a951342d2a2e8d345c94249cc1400701628ba67a0b768e74e4
SHA5124e3a7583a49389a92ab8e4fe6b2604a23b5406c406d20e1b094514532b3f8367494b5e86e0775cf1c0fd2e33b79cc5ff62664487b97d63c53674cf46f804d635
-
Filesize
342B
MD5a9a7fa3bf11688579970729e1890590e
SHA1fdd2516ce0e97dcb23fa3583492e54100532de3b
SHA25641a5775bf67aa24475c8918c1f909ce7e7494fcf1f57ffb9e284aa8893cb413c
SHA5126c07d63072705716077719e1899158efa6d63230f29b2a803fdda9c7eadc9e43d1e72f8adc61c67203cd94b9329b373f51d522233d2aa5f7bf724054cd093765
-
Filesize
342B
MD5f822866107798aaecfc1451600adf6d5
SHA1c396e8a87c42183e21c5230aa6582a1cd67509c5
SHA256e8dd2e0db83ce9008bad67709e064cbf592d99bf75b5aea551a3cec4eb9ea715
SHA51273bee04d649fe2f09b51f6c0118b18fee98e5dc49f15baa870495cee02ffe61fe71b39cc06a94d47cd851f82017d02789d1232ed7d483bb4696bc416a7798996
-
Filesize
342B
MD52c77be76395bd86271e2b3f103a3136b
SHA17ef184eb1bf4f5e23729b8afc562d1513c74e87f
SHA256e8e95986cdc653ff673f4f071c5b8ec2235e67671d2993cf270082e800986f89
SHA512f931758ef44b970bcb4e9d7660864f9c0e1e8a23a9e42e11de4de3d507937a61521774df7b36ee5430ddc5ce35b3f6f2a9825e045c265f6b5891e8d7a7b421f6
-
Filesize
342B
MD5739e63cde743ebbbec0d6aed6a07f1ce
SHA16c0244e47ad715a6f474ca754a66f10ca89e356a
SHA256aca3e3784edccfc6c4768f9e7e712a26a1ae09c0e08fbf5ccfa1ef3f46f28405
SHA5124b29b2610daf6ff8ab8f08ef28713fd57cfc9b72bf4612223cfac387dfae8022ba46abaab2b6d1c764a084f88028cb86a6a1d8be3df69e17c17166be9d79a75e
-
Filesize
342B
MD57fb4ca2262c3ab0495fd842192de7708
SHA102f8d25093b936a76d39608b3d13a294d2ba7817
SHA256212bb3f9c0dea40ecd3c81949f23b9c04f18aeaaa26dde616f1cd67dcf0f57ec
SHA5128873e8b2e5398b12e02dd201ff4b71418826f94c6c79cc7d94d1ebe247bd66c448cb8f65ea719ffed9203d5daccabbb18c888c7b70c21f8d3c5a2d5ece385249
-
Filesize
342B
MD5913637a3e7f766d10017b1d49d92fb84
SHA1e799ffa2f1a970f216c172c1681eb6557b7fc098
SHA2569ca2f266cccc7c6dd28cbe7c7691b0d4fcbd0cd34f58e7c9463f2b303f15a978
SHA5120478f9c37515022c706830fbc8263eb283ab28ebb37a3b27912ade061da6f77730ebc172c9b559d1c534f5ba8cc55f18696346d6e828bd923752da77eecd488b
-
Filesize
342B
MD56f0b4df117bbaee936018ed5789c7960
SHA11a12dea8b5e3c0310d07515eed6ad38ee31458eb
SHA2561d3b57382b61773ce30593cbcf0b55a6ce74edeac310938b1bee8d2e60c06f63
SHA51245f2f8dfd4c4d50027839c7b4985c24f47711fdea88e6f20c1322b3f92dee3da3b19ff80a85a9408ab2b4b92eec86af8c571651a184f6fdb8eabf4481d107fc5
-
Filesize
342B
MD5120aefdea76529d712c9dc7cc2929124
SHA15838f0f9f063d4e752436947e22e36bb7b4ef56d
SHA256236ad33369a2a232a4a286003a4026c0d9ecf265d63ff0ff4120f10c6a6fd83a
SHA512aacb31a89edfb2c596dd4ed12b96c112812d259e850d794b8d6223df8e04485f3169d440254b6bfa89b78d1b2695b7dd622eeb7f6547006462c73e45c03af158
-
Filesize
342B
MD52afaa207e1f49257259c3c52570478d5
SHA1a046120969c9f3262790d0966d037e1fd6947f0a
SHA256b55511c90f7fe73f4aea9253d9553876f014390864405fe51ea00e86c936d3bb
SHA512e10f21f700119f67d3eba5a992dac6cf92c0c34cf840201e57bb9c8b72f9c87fa5a78bde763fdd0d359cc994e60eec891eccb583e2549daa097a138ac06b0773
-
Filesize
222B
MD59869c1204cf3be215a564991ec99289b
SHA1574e530de06fa1a43ae7f480a77c69099fdba3e2
SHA25628fe5a42068a657bf332474c30ee978861bf9cb5dff898782b15a528d18caa28
SHA512a2585c771c2a2532c1df891c986f0a7e057c9d385449b1d689ec575e2ea3d93662ed1bab71976627fa357a7b7c34ae258394e0e2acccb60d8e5733909333dafe
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
222B
MD5cfa042cffc36b1f675f84f0d0b097407
SHA167e39c604b66f0d865ac70435a80d7bc322e3278
SHA256ed2bae5efe54f091c684128889391c0d3f59c5427c4bdce73246a0229fd8db03
SHA5124f6958d49a6c8b8fd4ce9dc2892db513da2a5278e3ab0ff40103187f9a551e2de478999b040d691cafd21426f775bcf96c8caa0c45177ff6d525ced33f197418
-
Filesize
222B
MD5382781845eb0893b41a9c91b287588ae
SHA146526cda47beda654d62c5e197a2cac0724d81ea
SHA256b69e921dbef3941237b601da7805fbf37b0f1d26658d6ff315d899ba85dbfb5a
SHA5129aa227370c16fad6e32167ddab16d1a5853c24ebc4fdb3c883d547d35d8c5019646497ba811c20f4b79a77e255375f0431817d9658f26fa24106a661c91cb1d3
-
Filesize
222B
MD53360ac15692b6bbeb12a2e528479b4ee
SHA1dede1604eec1ddda32b0606713679102c76f0f45
SHA256949c64fbe07986f58289cc185f9f1fed411933641f025048506618887051e2bc
SHA5124dd818f8dd497b9c637479ba198db790a9c0bee13688569d2ee71447c4a922dcc855d2ab9417c4459e38e75fa5c5cfa705da9a822477093269c89c3503c267e0
-
Filesize
222B
MD5b73fa86e57e695272789ae14d838d765
SHA183bd1b7a96396c7d935d0b39868cf8386530a3eb
SHA256c5efa5118bd1bd1b2c37cbe50caaf2393b2a306cf1ca9db881cb13d9c7705b44
SHA51224763553750336473bbe88f07b3f2d8c4d4701e6f54edbc2de1735c5b69b1201125ba6f76b4f66997ca115fc1df9e34fa399a548bad9ed002186684ea5ec689b
-
Filesize
222B
MD50e65697e8ec72504460722ba4a02a18d
SHA17ae90eb6220061bdab19197f7e7ecb7344afc934
SHA256d7a5ed55ad7c2ff1db0e51ea4140ff1d58f1549a7fc07342f8ea8a9052a35bcb
SHA51223b74ac1251bf083a27b5ca7c6abbd58e55a52680887c0ee5ba471ceee42f91dd8a760b93a09142267d3b1c5195c312b2d40a60cebecb4d147a4956a7897c506
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
222B
MD54b390562ba09a912f04bf407e88c3fb7
SHA10da51f1c5d88c019d1c9faa7beba9918423fb155
SHA256db25eff2fbf829cdb9be6caf697289a81be1ffb77456ca0f770a9979af3a4cd5
SHA51295244320f2ea995c47b2a05845591986028d6928b6a8a30f7a45ad4b909595923bfc49b14e9ebd4918b0fefd97334fa62810fe694a715962b02a0baa60ae3f8a
-
Filesize
222B
MD57f8a9d11e67ce7df017ab2a594061f52
SHA176b9cac77525f37fb7a059231bd2841723b83624
SHA25609b917436a60eba204d55a50c937aa3f574dd659e681b9f97e7b7e7a3df519a8
SHA5129c807bc31deeb6de22c5e1a9759bb81674ed11b2dffb11116b961e2ec8c63cfa762f5309744573f19d379cb4c37171868ca4e26a1e7a64bf080db757eb29f04a
-
Filesize
222B
MD57f9c048f3822fb12e1ea83caa94fcfe2
SHA1276697175fa5824fbf6c336d83724d2dea34dea1
SHA256904c1e6f2f5874d9acfc26f5717ece98a340f40c7d6a9c6c365eb7834283fb65
SHA51252ba936d0f5a18e2a5d39503cc1e4903abeed0550795e6b84f7b1099bf7af3720f80198336b3ac026fd5ed3c5c5c874460d4316e6436e21cfeed40a5bacf722f
-
Filesize
222B
MD51adc2f9a80de9b68118268c7a3bde1c6
SHA1b422c1075f5614a87769864ff3a9d8be16bf1b16
SHA2565dc2ea1a52289c31482e8935a104cf935dc955c1b56d6fa353683476d15a6bb6
SHA5121e69bc708b99338444b5e9e654b4bf720934ff333054ace8a534df444288c23e5275b81f03eff43c8e02e73f9db3391b26f1dea5ed979f69b42a10dcf1aaa64f
-
Filesize
222B
MD5fb00e8f5c1e9e89b6af1b11516e28fd7
SHA153b25084f30c054e32d84f140fc0e059c390d5aa
SHA256e8ca95c22fafd18c5c14c4f9dad7185e4e849290b2b041289b41e39014b8f8eb
SHA51245d512a176b89ba30037d6e73a43c854b5d30eff684c76ad865fd8b347955b26a6bcb8e2d25d4962ee1c5bb209f59e2c257d4191bfe4046cb8bd39de70dc87c8
-
Filesize
222B
MD597375e4fc1961de9663cb1756bae2239
SHA17748d52f8120e6f13da0f21c6e0987943a45cc1a
SHA256bfa3b6fa9f6bd895ce00082546c2f0d228883fbcff987efb5f4d9c2fb6ad4cb3
SHA5122ac449e197187d31a47c3816a23f7c6d69ed24310f576aaace2926d954ee284816143b0050deca8278fdfa90b82c62b7edaef8156eef245402fda4a1eb8a228a
-
Filesize
7KB
MD552eda292b0bb048f566e561d33bde6c5
SHA15cd1dc0436da33c23cfa31f0fa7fa52c984a3729
SHA2561303067252a4fea9b63d1101aff7f8c07bb8e7b3ad9a4c5556b249d112d481cc
SHA512582c0fea3cb1c4119335543930ce54d09e84e69b7ec8803742517b16284db4ea8704b7562b3762781d2f6f69e76f0a3c2bba3ab90c4eaea76801f07ca6c43e2f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB