Analysis
-
max time kernel
143s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
22-12-2024 03:21
General
-
Target
JaffaCakes118_fefe964d083cc9aaf22ae6b31e6ac62c6a9928c3b3901895fcfc749055f8f9c3.exe
-
Size
1.3MB
-
MD5
76e296446f83da9d2f3f531a5f77a344
-
SHA1
cca0c587bfbafd87e2263e4ebdd23f18a7a38c05
-
SHA256
fefe964d083cc9aaf22ae6b31e6ac62c6a9928c3b3901895fcfc749055f8f9c3
-
SHA512
ecbb6de0ec10355d0d197404de42b1c6e8904893dd59cf6410d0080f9326aab7d519fbf9903cb39505b47972bcdb5843c67ba64e213f235396fcc7738d7614bd
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 6 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fefe964d083cc9aaf22ae6b31e6ac62c6a9928c3b3901895fcfc749055f8f9c3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fefe964d083cc9aaf22ae6b31e6ac62c6a9928c3b3901895fcfc749055f8f9c3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\System.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\dwm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XY5uHg6WI2.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"24⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵
-
-
C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"26⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵
-
-
C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Pictures\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5e3618123c15ba0dd26839e070f2e3d82
SHA1a900d6428ccf247823799e7daf7f657b1acbdd32
SHA2561c83c7b5c9d1dfc7a2fc62e20b916dec7de510d47b1e39578750cdd8c34d73e7
SHA512a420db8b3836c86278d7c9db8f200e4969c393220469c08868012a0f6c88139ed385743dc8351be1059571e9d9de7e83c9377a9707a2976ea2c8b6072edeb3af
-
Filesize
342B
MD5f7298bee69b3e2c78fcc00e48a07fe60
SHA1da72f895dc5e731633406ff6fe5b60e2f4e515a2
SHA2563f03a9a00af81e61391014c65855087f0ad7198dd3787831f3c4593b059f9e01
SHA5121e12c8192f4c8ace1f38bbd49bde2891ebc4201852fd894d756f2d76e85055efd2f2199d264860fea4f437fd87a14b1a90917367fea7262e495b142a2ff23b0f
-
Filesize
342B
MD5f1abdac75ce058c210c6b75901b5d32a
SHA196d06acc01cd5ee0091baa554add66b2d52b02ff
SHA256974f91fd0e4950f7db1038d809133717c27fb959cfbb92d5648ac123547289c9
SHA512e24b8853bdfac293e0db218e9973042088a121a5672bb6d8c3ceaa6ad87ad4a397d1cee1199acf8ea64b08e19caa39b68d9f366314c632b59bb712ec48d22b16
-
Filesize
342B
MD52012ce5301c74eaba031ec57b6f4eea9
SHA19fa1757842f31c4bc606725e27b1a3b5dfc3383f
SHA2568656b2f3350d6bd53dfbef110b50ddd6b96a8e6e14dde84dcc08fbb5035c7eaa
SHA51242d527c1fd1df36d607e2dc237e1c8d852bdeef5b978fca19b23fe6e43a642ea32ea990a7c10615f754de1696706e3fd86ac9282643a763f2259304ef4d84c2d
-
Filesize
342B
MD572a35205f207d8554a4eabe5153ed50a
SHA1c616f56dc0d8870f4569a5b2ee19ae0b9b8f91fc
SHA256e86b833e57702ef82ccba60befc8be2bacbfa307945186a037c1d5b5e5f2b74d
SHA512b6a342f6707ca6053718e6b07b05b97ebd5b4194180cf1ca773e4332b09dc970c4e6bdf4ee391442f32b3cf1dc3ce7b22e62c1e36737a9725a305cb31856de5a
-
Filesize
342B
MD5e6b330757dbea59b8b46f6783cbef8fe
SHA173742b071155a7c1ef47f3118c824be083cef1e0
SHA256769e0de8b500581e1ba4257ae0fe0f670976e0ac0d12f00d268e47318ff09f71
SHA512f0a2485138d80ced3d9f45b7f89fc9b7cbdd411d902803182af028562793af70e69c71110d70476597336762557ae758e4c8cc7a021c2c6d01541137ecd4b2ac
-
Filesize
342B
MD565bbd0e4faf8906f9adfc7cea27f3832
SHA16caa7ac3ac79f2da9cb9d83084b642bd983fa854
SHA2561e5b66af9941fe7b4f80bf4de16799a8583270366b9716ed725559b8c1f0bcd6
SHA5128e4dab5c5d1960259f1b2568ae73c10b8326ff54dee2a0ed4edd9fbb17519d46c9ef2ef0a4231524cee96a2f92bbbb5232277124c1a06c2994125795d1efc2f4
-
Filesize
342B
MD554e9cac38a5f163b92e5242ab81089ac
SHA186fba24cb47d9c5a1548448de8de11c7cfdc2219
SHA256755d792008c7d60721a61465df3891d51e39cf37224554f5cee9ca1f7d65dbe3
SHA512e4bd7628295570b0c97bb88a53547678b3ba8d7028786dd967347524e0ca254ac705ddec1c156e103e5a088bd83968cae2ab5e71729a5fc08beb2ad941833b69
-
Filesize
342B
MD5bf381489d60b5beb18f6258ae66f8164
SHA11ea8f0a318b548422b158f6be3f8ef7b999a302d
SHA256ab0e637b72a2faf023dc6b4ff036913a0323f2a8e13128973b8484427d44072a
SHA5127dc64430ef29bec959c5de9b21ff906e1e9733bc907a8b27d13d2dfad4da5d4d5185babea431b6bc8d4f2aef5c0355c0c295c76626a538125116ea8aa2ae847f
-
Filesize
213B
MD5e5b493d657489d3b2fc9a349a89bdd42
SHA198e080f7bd20f12f7b397eba11c28564eabdf4c8
SHA256f9043f4c635c045002303edb952d1b3211bab5859d5ec6fdf1f487d8f549197c
SHA512f1a07979d45c9b6cd14ad93e665757e306a4098d7830de7d078d0c9500693ebacb21f3d85cfc35b5723fa532b6680fe72b1c48a384953bddb2d10842f6741546
-
Filesize
213B
MD56b314e7ad2c9214e436de179ac39235a
SHA1729c582c1777caa83fe075550afb7f2862b31d05
SHA25644e7d508fd923ce87fea16c7feddd97b1adf1c3b5de0b481741a6618775fa1a9
SHA51241a882beb3b07556195af3b47ab731886161e098ce3d01b0fedb4c5c72e83803a16946dbc6ac4b0a58dab0dc32f872c7f83835ac635c09b1edd4495b176a103a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
213B
MD57a2029512e559475c6d0615d28e918e5
SHA19bde901efa986b3b0bf83cb591d3416b0544a4fb
SHA256e9868e8d63fca12207640c2ce2ade421b646d3d2e88eb2aea8581259296107ea
SHA5124976fb297d3afa484e377a51a5e0a7075b2312eb3e9dd4de3f27522865585bb6179b9e3a60658f914c6707df744fe11ef043ea6dff0883ac66b870cfef73ae55
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
213B
MD59cce35e21fc48a4a983bb86d520d23ab
SHA1570ded0d3060b03cff61d174f9ef3dfdddf79b05
SHA256f5a8663ee03ced5c61cb44e435f982b11801134b40ce2f746805009ae6948867
SHA512d0dcd737e03b558134e5ab0287be9b1a3c1111df30cb8a9960ad4012b4ec975e4de4398ada23161a6a7e60d1d42d96b1ba0d9135439375e34c7203c49573bd4a
-
Filesize
213B
MD5ad484b7ed0530ed0351687a85a691bf2
SHA19aa511714131ca04e1abbd34443d35292a12901c
SHA25696b762ca4aca4cf64107b9c9f30906d258ae82fc3b1c82ddd3bc967c21bb81c3
SHA512b7fc5a2e466f894b7e72f313190086aee24535bf6ba170b5310a1eba67fe3c717b38f92be270524e3c9880c17bc87591254cac0a252d82cb7e28e21768a85090
-
Filesize
213B
MD5af36fae7294ede396b2b6544f5259588
SHA15a7aa29f8f0d9b7cb6ea60568884eff29de03ac6
SHA256abfa89bfa9960f7f4e730ae1e39df9418f1ca12e31d7acace64d54f1ddfedf2f
SHA5128c0d69eefdc7608c90a35b13d1655a9d89d5dc538596bd3ae241b59e3fc1976a4cbf3801bcb9e9e055d39543a3a18503cfdad6ec87da7e610289060c6c48906c
-
Filesize
213B
MD58f2bfc8bfb8a62385442b390c669f54e
SHA16271dc9e96f331ec68d8e825241674db52ff1814
SHA256e5e6917ed7e7675777f1aa963b17e475b2e5f4e555b5c4cc5b09397ef58553ef
SHA512d832b87afbdf4c5658fab96b0b42e28c38131872e531118a6f7ac624a37d20f92e64f7584eb309d9ae09b2c6bb291ff0d3a28c9debd165219690d19e9fde00e0
-
Filesize
213B
MD5c0447e74723332b8cdb5a81705bce100
SHA1cc43607d6a90c7affc0ded748edbef5bb3384091
SHA2567b21481216cb74879b564381373cfa1389e4cf67b3f1c58b8f15064c20c746bc
SHA5125167d4a6c38d3730cf37179646c98f24e21b9aa10cc97a7c332db02630110f755229405d5f5ee16f59b05590b12da026981c78aff4e6848f345c77a19651fe45
-
Filesize
213B
MD575715ebaa600c63d04968a612fa73a74
SHA19b861548e1f65ec96269a3e08ca5296c795494e5
SHA256c95a831560ef7aa2ec049e6a4d56c257080d40dfe298cc0ef71b5861f0f2d445
SHA5123559b325118eb8967abf1672a9a5716d9e4d70198b37c88f3566e56d1cb6ee9838a283a8d1a4b1d6bc987ab1dd92ec5b977be839cfe5e5a64f0f36a9d3c8b899
-
Filesize
213B
MD5dbd71268263cf78eb2cef3837b4bf575
SHA11c302df2cd6063810be08dd5452b828dccbc7b9d
SHA256e59d98386a80262dc674c107da3fc9e64bebf9b94454f181e8cdc92d4401b696
SHA512c7b4450b1315422db0e0ceee0ecb97e48d30e5da8a96f32a268191fa744f6ba3c8a3993f6cd0e28f4ccdaa47c051836c5edc3afa51923d228791331c8a126721
-
Filesize
213B
MD54983812767763f6d37a31fc59199025d
SHA18c26c8997a9f5356984d565c8ef9471eb3b4dafb
SHA256f70e4b468cec568b365e9ecd53c39cb08e44af2bafff598b48a6f45260db2bd4
SHA5123ca944ce5b08e8bfe06aeabfd914b6751e4f831dcf84235b27570465fdf6a4fb13992d6da24f0470781dac8d4c89802de0e165a48c8df34450a9e760add33c72
-
Filesize
7KB
MD59d69628c8492b8acfa024796f966857a
SHA1c700f786dd5805a755dba5bf5f11d1740dc0af9b
SHA25634494970f031491b23d394bb2162ece944dfc94baeb342cb8f6e450f0240022a
SHA5126e7527c19dd7e9566faafc49d43ddd6646cb848554a6be0ba7a2726cbbd1c45a734b907b9baaa1b66ae473d616c67fd6324b46ef04911ad34bce83b2da2ee49d
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.1MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.1MB
-
Filesize
1.1MB