Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-12-2024 02:00
General
-
Target
JaffaCakes118_dd810987dee86ad4621efa2e580838af295ce257d47c41a97c98fe2be32cc1cc.exe
-
Size
1.3MB
-
MD5
f881b76d06402dcf78ca64540da3d9f6
-
SHA1
ace8988ea925758dacbb0a2bb135f2a0c994c890
-
SHA256
dd810987dee86ad4621efa2e580838af295ce257d47c41a97c98fe2be32cc1cc
-
SHA512
d60449ab08172e4bff713be4add0f04746f79a24662a3a3cc717a138b7bb2ddd93cd4ae401cfbdc311f1f6784811944bb6f0306cf089924c569a057565137fdc
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd810987dee86ad4621efa2e580838af295ce257d47c41a97c98fe2be32cc1cc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd810987dee86ad4621efa2e580838af295ce257d47c41a97c98fe2be32cc1cc.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_MSIL\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"24⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\debug\WIA\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_MSIL\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\GAC_MSIL\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5a857d3646e8c4eb3cf86d575352301f8
SHA1a1dc8ebdf49a03a1f4b7e340d478a134019b1ac7
SHA2560c5c353bb0d1a6db618dea95a13f7286ebc578084c4767880d9c460d70bdc5c5
SHA512d360717617641ae286e0a29cb140435ebb4685b8aa809006f83053f67856d4801849fdf6d42419e4b0b6e22ea91fa5a16f46145210cdef4490ad472d650b291b
-
Filesize
342B
MD5cd150ec0b4151fea54ecce79ed6e1249
SHA14f906d9fb07a7325922d6a0229302c36a2198d74
SHA256ca24708ccdc8680730ec8d1448b95415e6d7b5ea4b28c9cd1610b7c70af93e59
SHA5122a220917faaec88c4baed7032f62d4516f300b7d45e44dfedd50a7a56304dd582f215b689e50f350f3db8014302d8610e062fcbfa2f104078b84aade50134078
-
Filesize
342B
MD5b0204771214976f7bdbb33fefbcb3c57
SHA1406a4c3e218a5c654c9a7c41f2c1d633f0587885
SHA2569a780b9f8088a98fc39134ddf624a0259ddda039bc12258fe4c2d7fc1d29922d
SHA5123d79488cf38a16c4ed1e1516aedb2ef271635fde330c2f96c91a56aec57de98df2b9af613391b26d8811081546067323645bafeed759c6c26ffae003131bddde
-
Filesize
342B
MD56f7b6ce319e8aa017af75914f35d7220
SHA1ce173c6627d802a38623262e0ee546bfa86957f9
SHA25694bc62092af3959f997c80c75d6d36155c4ff926cdab25c4f848c5b96386fcc3
SHA512162403a7f32a1570023c1720d10d2d307ccc40ea25ee7a5a4370f65ffda66bafa1d193983aea59017e47e753d14eed9f507e26c959314d1cf8c8f6bc482649d7
-
Filesize
342B
MD5ac1e9f81fa67e4943b0a1731caf44103
SHA1833219a68a35021e05c3dabbf85ed43bcd0b9ed7
SHA2568654b63a6f356af177be9e06062f53e6f1e5b683cd9dc4e70936c828ebeb02bc
SHA512145584479485536d5e7be85ee050fbaa24fa0d5748ca9e41dd9f8dfe6cdfb315631b170c5494fb09e59d1bd94eacabf799fc9e56babef0ee5be78eb8dbda717e
-
Filesize
342B
MD5152088c427b713d98b5a0e934bd07cfb
SHA1f27cc64ba3723e53e8d363608c63cee3a2fb2a93
SHA25625762b019b7aa0da39df5283ec6bfc95c024c1249c732ebd3843f647485980bb
SHA512a97cbef002c257ec224696899b7419a16a03a40a8eea461f3165a2b44e8ae78b88d9cfd09116908f2432f0030cbf63024f093236515c15f982d554efc195b502
-
Filesize
342B
MD59e6a5d2459da1e1e744b71cb2eff2471
SHA1991bd74b830f746baf7e45dd48eed1854a7ebd5e
SHA25653608b22ca909adebec671a2321e2523c7dc18f79247f176246adb6437121236
SHA512b608266a55832e8ef687f5ada29e11b4d74612c7f6fdfb4590772d63dc61d6f03a1e1e32673b72620062dcb244c6c103fba8e0a30e02f3d89e709332a7e971a3
-
Filesize
342B
MD575478524c9b18c18b6ba2c4b016db72e
SHA12bddae009b2733d9384dc3b3abacd8aa1b2bd6ab
SHA2569221d7816eb40c31fb394b195ec33e727635022980af684d3fa55b778bdba526
SHA5123dc715924f2300f9598b0983fffbfbe8366c0c6687b07dcfa3d007037209885669685c8fa98099ac6261d3b89b193038dbc6d1cfa27e0de3f1f4eb98bc3af5c9
-
Filesize
342B
MD5b2cd14a5a77c4a8ac24f3e8789139a94
SHA16f77032c3ada76c4234b67795bdb39d79e9aee1c
SHA25669f091ac08c66dd4ea002d3cc7d3646dd579615b2d6182207c389738e68b9de5
SHA512231a2ab55bb5a6f5ba20f21d7b45e42177f7f7f72ec0cff1cffa661c4015521d8fba83d3195828b78b509ab3c32488dfade756c82a754a764383ddf481e128bc
-
Filesize
223B
MD53e85e35561e3c313e53cf84f35535730
SHA1a5f1c22ac7325024de0749d8723144acacd4a471
SHA2563c992295274ed70bbdbdfb26463a2993767f5f82f9cf93f39851b17a8b38eeec
SHA512e4bfd0196349fce06599278620042e0097776bc7ad0b2aa304bcdd1000c87c151dd665e85751052fe3c26f2b9df764ec24423788f7069b0a2395d2acc0d4d816
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
223B
MD53cc7776604e667564f78da4f80e5ae36
SHA11a6c876690bc2820a79f9e8d9c5a21ce479e0c54
SHA256e906b85fd419cf7b106067d2eca586f38866708752794b92480131be48f719d7
SHA512bf1c7c664fc52fa19645989d6f597640a79b6e5b58d18aebb76141270dc2765da36df425431e0cbd42c1ae4aeca7cd5596e1d09431633368a0d80bb73adf8fbb
-
Filesize
223B
MD50da0426545d4ec1606f213247863d1f8
SHA11b76f2185d1088ee3e00788a5e77a0d9558d3d7e
SHA2567be72991b98aa7df573a12530ffb7a55ff464eb137012dc0edad9965ec813197
SHA51254a54feed11e15d9aec9dd72a4be7ad7c32d30c564241e67c72192756f7520b81795c57e367e2871a6cbb873a9f3c35026c12887cf183fca401ec7a469999ba7
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
223B
MD59835289d6b2e70c07feb72317be66d51
SHA1d923f74aa5e5b8fed01c0873a339f8ef5bb17c27
SHA256c98de6c3a4f949fa3548a2e3b5f69fc03c574beafd971718d60a05411e6aecd7
SHA5127e3fe50c5eea65f9d74f425ebdd2ab702d9480b1cc2e6a564e10b4d44a19d5fcef491cb48126dcc061e0cc168d4bb54acea1080f030cbb871e1d0ad5ece2d06c
-
Filesize
223B
MD53cbf8f788867408c1599de292fcf5246
SHA1ef0f8ec68fca75a87bc25b38b7d13f23aff73194
SHA2569122f8f48a138f1baf47b9a0b50e47648f6dbe37b2f1ea44c89d8048171bb9ac
SHA512b1f026ac58125bd48290be3f4b9438224f800eff2478027fb964ede7e290f7d0942946262131268bd6506d90d6dd6701f71ab0a173529abda424ed774fafddd1
-
Filesize
223B
MD552842dfcf117576c59381839016e14ec
SHA16b422d578deff8fc8400cf06133f823b82a9e9fe
SHA256eb348a212738b8bde873fbe400aa8ddbcb9c64407ce56a9c209115b077d8076c
SHA51253dfa81126a1465579bb28540eea0314515422df585629c67cfb54dc1ea430eaf2ca23371a7c1894274295e694c8fee8c8be4df739c2b2f9c62fb60d060dee3d
-
Filesize
223B
MD5e0f147a2894646d5e819c39b58168c19
SHA1c1cf87286429f44dfb9d67c85fe0ed4a67b2dad1
SHA2569947e643051ca0cfa9fa529ff6140026eaa9fa16a7cc2bba8e4babf6b2523778
SHA512d9d88ed18836dc00865d8bd1b384026d52a69144dfaf53586d93e1d6282b725ec244f7c2f7a0e2ca3e18b7e4467f39bbeea69320846cd87c6ed38ae0951859e8
-
Filesize
223B
MD54629d531ab1058779a6b001bf7e46656
SHA14825cf3c1f1d5e2cd725e46003cd0f24712371fd
SHA256a3bdc313edeef40189986196118c4ef7d7d24cd1c9f27112e7dbefdccab200d0
SHA512feca81da5d2d0b024535d7672c78df551979cf58b140eed10b0c45107d0770992bf72848226d49cf6074a999bb79dfd84a33cfe7614958439265560d395522c5
-
Filesize
223B
MD5f0c02e8f9b75b017f83b7cb3927b911c
SHA16ac550c7ada5e682dc9f589e55a8250404ff327e
SHA256b1b74880b39bc25a504401bfd44da2beb8fcc1d4625e85830458c66ed01cfab7
SHA512bb1aa46629d5a3cbfb6cae98c9014f7728ad6b1cbbc5b1269fbaa18f3f76f7598421176f0c18ac013e6922b4667eeb2d39ee165e7e59cef313cbd745ede506da
-
Filesize
223B
MD5020ceac3faaedbbd61b15e38e90d937d
SHA1c257b280c3c45714b1d2d524870b99a0d141524c
SHA256bcb1b12d51afcd75398a47f896f87a1f1b0d07ac3c27f372142654a1be62cefb
SHA5121f9ebd01105bb074a706cf4b5d002ee5f0c46acaffd367c01d944e3719cea331e9c4cc6d2aef9380e33ecf69eccf85dd4bd4bc3611828bfff583d8e877772042
-
Filesize
7KB
MD542a20167cbc5cd72ec940101a7673994
SHA13ede161d077f4f6ac28236d83172fcf718eb2b57
SHA2565f09c216e65af002e2619dcc37f67bc025a9f0d1154143acdfed759c31ea5643
SHA5127bcb3764f2c354de673562b2e7dccf41bfef69803c79ec062be2dae279cc48a86d81544a8407a193e776b85711d565b9792635aa77effa6161e0265df27b90e9
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB