Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-12-2024 00:59
General
-
Target
JaffaCakes118_63f95f6ff73ce356dc7d20943f3a6ec8c2b7d6021235478648822558cee8577c.exe
-
Size
1.3MB
-
MD5
2dfd7b96c6c19970a53dee83725e9e39
-
SHA1
c4a2837f05a464013514da1b9100a75613f1038a
-
SHA256
63f95f6ff73ce356dc7d20943f3a6ec8c2b7d6021235478648822558cee8577c
-
SHA512
7af353cc074d4daac7143d7efa543f6506185ca0a87d5a76de92483f47f85dc11f8d8004e3ef6b57ae1be2bc40cc517260c88c2db956bb55d1ac2b9bc17473d3
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 6 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63f95f6ff73ce356dc7d20943f3a6ec8c2b7d6021235478648822558cee8577c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63f95f6ff73ce356dc7d20943f3a6ec8c2b7d6021235478648822558cee8577c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\en-US\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Uninstall Information\System.exe"C:\Program Files (x86)\Uninstall Information\System.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files (x86)\Uninstall Information\System.exe"C:\Program Files (x86)\Uninstall Information\System.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Program Files (x86)\Uninstall Information\System.exe"C:\Program Files (x86)\Uninstall Information\System.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Program Files (x86)\Uninstall Information\System.exe"C:\Program Files (x86)\Uninstall Information\System.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Program Files (x86)\Uninstall Information\System.exe"C:\Program Files (x86)\Uninstall Information\System.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JbtrqXgYk1.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Program Files (x86)\Uninstall Information\System.exe"C:\Program Files (x86)\Uninstall Information\System.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Program Files (x86)\Uninstall Information\System.exe"C:\Program Files (x86)\Uninstall Information\System.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Program Files (x86)\Uninstall Information\System.exe"C:\Program Files (x86)\Uninstall Information\System.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Program Files (x86)\Uninstall Information\System.exe"C:\Program Files (x86)\Uninstall Information\System.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppPatch\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Panther\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD571d7ffdd606b006b0c0fcf2b102e9a78
SHA1990d2b8cdb5efbe4112d311b80780fa910b93f5f
SHA256a0a33e6a1e76ed844365d45e64a261475981cb95f1dfe9cbd819414140b6b178
SHA5129f7669d10f41a818145edf6325115644709a437c08621926847322fd15cbb09149b7f477e5f8fa760acda50960f593796aed6764cd155df223e4c439ba095d4d
-
Filesize
342B
MD5da19251c6277558621f7828c8e941182
SHA110b1543e949270b12f5d7c37eafe0f5e10c7c2c0
SHA256e4ac71d20163e89368362ab4aa249c6e0540724e2165c1ea05018911a69f81ce
SHA512631c3f529809987462290e2a3e6f826760236488648ad2cef5b957fc2d3f90df1dc6f11e7bc46e88eb6a98c4bc92353556163e455bad433c379ac17b8969787b
-
Filesize
342B
MD56f3adc9f4506b43c18499861b48d3b16
SHA1e220b9a35c161596c67232b974650afde489bd72
SHA25630c1ec9fdfb65a5760c6fb870fd2c0ac159c66099222b17b1daad7bd0b022775
SHA5127a9ab238c10af4f52110af64da2c9feb0cd46388877aa1caa3092300b22f81e38710afd7c6f688212f49932b481c9cfe17dca183ed02d6fabcd9d969326b9924
-
Filesize
342B
MD56c03e04ea1bd589bef0461df1fc4cc80
SHA12068dcd5b18ea0882a61c30fc65282a1537d9dd5
SHA256e58fb02d79b74785d7297cee13b944831633e90efa4e590ba33dd5a6890f6dbb
SHA512ac06d6da1064000c0edeeccd914604355e2ba7d04de88dad7a048f3e80eb4e7119b820b1ebd2fcfcb64f9e553194c81aac9bfc9b69e2c29b8e7bbfcbe42bacee
-
Filesize
342B
MD5528a2eb897a4372f3099383f34fb252a
SHA12712b7aa662318f573600fc699039ac093893d00
SHA2561484fa07fee35ec72e3bf1691e2b9b8542e3fa4494dcdada4b93ae85f93e05ba
SHA5123303d617c2436507705a5cde75e768ba4d2e92f364bfa516c64f5a49c04761806a589c069825475111f90f4494ed3a70ec276950d66681e917225b8ef0ddd770
-
Filesize
342B
MD53310838d9087d9958518e0fcfc3826b0
SHA1e1f7499510cd5d24dbdcceda6e03936394d1179b
SHA25645db3b2ba5541749cab71ac7ad4bed2457003ea4f0387c9a41f5939f23d5a9cd
SHA5128a8d6d90c074ddf5df6f67ea82b065bb902ac7d8063203ee07ef855f7405540567a0901d53845947893b74d3ba119f4a1a0f460bbf768b75ad7efd081c7d2841
-
Filesize
342B
MD56f440c69b4bdbe254352613064866713
SHA1d715be1c0f98755b80f622dfea872ed7dac5f76c
SHA256fa906a19bb4492bf706f8097e7c810bf5e46a2bbb083026fbf616c1978f0268b
SHA512f813462df2fb58d7d4648ec86ec99c2202842bcbe7c23373e56920aa8a6179385fd152a868771b06614bce67a366c0674438258308adab5b98551e4c6ff482e5
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
220B
MD57a78a2b95cac1f209359d4dc200fc453
SHA1d59f1f2a87242b38f8ea0b423384f908749cd33b
SHA256ff98bcd526afc016411bf0720f708f3eb3ba388583e225f2f23bb992c7cf621d
SHA5129ee06b33d34190bec60b851a327b435fa06b56399936de23832c496e83396f84ba41a361609d3f7a47c3097a4c7216883f38c0e0eb175c2a168487cbc5467b95
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
220B
MD52ccbfe9b9ca771df517357a4f648c112
SHA1d5b2579689c75a9c1422a4e276b49f0011dfa48d
SHA2561ae28081fe7e0e605e8a2d1ddc38ca2d953e2803d6a522b6a3de6604da2ee830
SHA512199ac78d6a6393c5d79b8d204fd3ea9cad9d7f261e2a46661b7bc81cae2be9d857406362656ec9dd2c5ee923aa7596b7fd9b48e5932ba66f6995f1f5b1e56199
-
Filesize
220B
MD5341d285313e2f27032817931dd0916f7
SHA1c8f07e7ab6e6933500e276f087a8aa911fde6b99
SHA2565f27028183f2cdeddc5aedf41dc5484b6ac91fee57afa10e7ab4ffd3415eb31a
SHA5122a8afadf7778fd9986a0d8acaebb138ea59bc5a2c107257ea1f60936c0c00164522cbaa2aadaa0901faac4cc786f01660545f8fc80d22023f3c0ff5c56906859
-
Filesize
220B
MD5ecc2769809e4344f84db00c165eac0b8
SHA178eda860d3ddb16aa14e99b98c7c5a63b3fc595b
SHA25633c26f44c3dda8d77e9917bc5b85969b4d20b91dbf86b6cb680f8337e5ff4121
SHA5125d118b34e75e6250dc6e8413a75dd3d11594656b7f638e8ac44cda46167c7e000e1f67dd1f1a4ddaeba964fe924ff855fe337a47ff4f48558f7920144808c44d
-
Filesize
220B
MD5f7a26063c28fc929c7a1a13560ae8890
SHA14d1ada497cfd3066fc2997d67f96b05e52c86588
SHA256392a7735c9a765c11ea159c01216133f1fc867061301c00a7a15d261e8e71fa1
SHA512d981510211ae1045109b03e87f3d4152199fa671536e6dacb5669568e0350600f3191235619af5f1d3ebbd4cf0bac7156997f165c98adf386ad1a8e717c4c94b
-
Filesize
220B
MD51b46b81ca553ea87280eced899960942
SHA1906ab2f78cebda8466b43477757f42cef8166361
SHA2568e1230245a1a51d3b08f5926bf08ab4adf0eeaa0a868b0d4ead319e98b4fdf68
SHA5126344ea486e92c797d5a5239966ffd51ac784dfdba34b652cc0e0b101af7d39e2af2943016ef4b2783981fc65b2f98af031a0ffaf3b3b4bf3679f460925f5d7a2
-
Filesize
220B
MD5936f9cdadd6d84be4d89eebea4648826
SHA1a2abcc814ab9aec5a7487fa3130f3182646f1258
SHA256f27345437abde536e089950184ca8f3012e19ef7578dafc00901289e8b8843f1
SHA512d2f7262fd0896a4b7cffe71f202cddd238d50b8708ded49bcaacd2aff6e426f415474f4f2fba4dc87c05312b579ec43db14338d2745153c106120b86714bfdae
-
Filesize
220B
MD5e443a95ddd844511bc1e677233a4f80b
SHA1e878dd7422b566f297d1b9d859a8cbcdb59e55e0
SHA2561175f37e349ddae6ddc0626118ffbee21cd0da4265b7ee687e2a38d459575ac3
SHA512e23fbd467077f26c912b65c8935cf0f871aa6c7f6aa61a9f19ce951c2ad6e6e74c2b050be6c247671a5c865f5bb713c612d2e036f3e68aa9b1e2031f14d65709
-
Filesize
7KB
MD5a65da73b7f3aa1023c801acb3dece4bb
SHA1a16ca741d5f47016b768ccaceac8beb900c46790
SHA256678077606422ce06990c9467a4bc472d9d7d5a36fe21b4dced7683a6a30e538c
SHA5124ed6303cbe36210d61fd92c7c771f77df680a0fc4bd285f10cccd82a38cab6d5ce4aabdd57fc1f8750ec835765155dc0c114c4ad832fdc539cae839e09fca375
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB