Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-12-2024 03:44
General
-
Target
JaffaCakes118_4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40.exe
-
Size
1.3MB
-
MD5
0b3349d9a879fe2f2e40dc2a1358be06
-
SHA1
b5debbababe208ce0523d6078080a616a738b4b3
-
SHA256
4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40
-
SHA512
04cbf123c194179c134e681ae70bfbcce3ec358cf66f057eed3fca561fbcc2fc36fa0f339a10e837b4d43c8452d828855ef1955227944786685efcd862b2c23f
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 10 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4889445f5d98098755ff2b0fad366259cfe061eb7e7968ff7b27036cf6d26d40.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\es-ES\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EBPhrmFs6m.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"9⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat"11⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"13⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"15⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat"17⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Tasks\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Application Data\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Application Data\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\fr-FR\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\fr-FR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD58f2f3b3f6c7ac764d6efdb7e9cac8776
SHA1f8cd0bc6629aeb667ab9e79101c4e4c8fd649133
SHA256971ab81b68d4f53d17c14eedb78709b1657bfc9c6b0190946595ca54620ce887
SHA51259c060037f337dc83b5d77d8b562d9cd1b75bac09f64746cf9a59d5932df976be68a3849b225ecdb5dc5fa93a97997f5e2e07b6e07d63906735e63489a94973a
-
Filesize
342B
MD53abfe4742961a81d615b803355d03783
SHA1a2d139d36261230f5b6e0f7382e0d12a148d2af9
SHA2566f97dfa4c8ce5c8e7989934e9d88de6e6e30ca0c1d002d0a17b4e6d95581de27
SHA5125e2e5a850a4a85511590ab460aec6e502f3cd4b6a1e002d991a2dd3dd2bee280810695b1559391d15f5b940d4220937b0b192ded7b291c891940db4e3646b41e
-
Filesize
342B
MD5db30f25d3ca4c216018a73f75a9c6f70
SHA111a56f6af15fd4840063a51786ff8eeca8348654
SHA25612ea174921808f53b4249815f038f0505b74cef487a88a552bb34eb6713d6864
SHA512150b4ac7969f41e47c1096228839d4163e75da285688d4e50c92d8d7fb6950299c19a3ef6dae730ba55da91c9db46d6737ef294a0e0e8397f962d93b9d2d2d90
-
Filesize
342B
MD548f0589a33ec4876db10fb15e04e31de
SHA1a897a92f37b3b168ee233ac04d4c60fe2c95e982
SHA2568eca9180a34ac30a94a690986076621936a6db257625574981124d0ac40046f7
SHA512a0b4515939f27fff6794a8e9a8bda37cb7bd2ea0dbdd18995f42090758d103aef5a81eb2ee893198bad4cf4e47c5ae4fb16bea4ae8df6da84ed8d75102a5bb41
-
Filesize
342B
MD5fe242f7084d6c277a7ee2ecedee0bad6
SHA104fd6c22a7c242c64e573707f070ff780711e8e5
SHA256dd4c0095b298cfa6eeb758d6cf0d623a7682a600f7351dae3dca62f67c36d001
SHA512c52e13344a1c0e2b5b9dca76452400b1c16783ffe2349a160175f86de0b9898276b9e86b0be9dae43333ccf2a3c31f7090d37c15a8c52bc1531f1e32bf5ee87f
-
Filesize
342B
MD5546a09b7fb8b40c77982ed45eec89e03
SHA1423e6a77f8cadfddc53c80a8b68b85c6893a546c
SHA2563df7f3e78f67836a313e6dbab858bd54fff92493a43ad5b33dd7da611232a33f
SHA5126973123e37131a33438eed91d97ac04415e6de6838a7f2a65f82cd285e7215293922bb5beec54a7070d0f532dc5e40b13ed25277d292d7149d6afc4789500e45
-
Filesize
342B
MD5ae176222b0924123ee1fd8360ea8c305
SHA1a12d2edd8b901aafa64c214280fd14f47b058326
SHA2561fd37468ef1209408f63b253a6d9ed7770578019e78898598d52f3b5a680ce4f
SHA512219ecb4acd11ff0d953ebae7b9d9fd388da6552cb502ecbc35f61e8559fa754f2d77038fa6f4f4b481e8b3f4c93003492ae9fbdcd183fde8898bb9975b2b17c6
-
Filesize
342B
MD5eda6f6a436f46e14b68f63db9be98a15
SHA160f6bf6ebb25ed9ee502d51f0e0962d9f7c3e2c5
SHA2566a379f84efdd95aacf90eb40a24c67f6e2463f8c974060e03facac8059c2144b
SHA51284620157bfc8338aeadd6f7c0a8262b1442886cc9e7cbe4905eaf7154d9b7920c58244247587f6824cd80e06b2a818ea3dd9b74da01a74d4dac55d6405552f8f
-
Filesize
342B
MD5a2f82b133227a0385f9084341e9262b0
SHA188494159f551fc82c6c59a7efeaa7cab1f7877bf
SHA2565da277895a102bdef33833177a59af0c65d4098dcfa55366bba01c3694a66295
SHA512e4621bde2099401a060c4df32f57f08352c56eb19f8088c2683461196b441a4d71d83238e1ace299d0382b9ed0e7e5d9120fe0b48849cd33440baf5bdfc3f679
-
Filesize
195B
MD549b71091c8915471419a8153d7b4895e
SHA1852d5a4512eedb679f57d72028386ba8bec3bb5b
SHA256c3ef724ba0a68dbdc1e22f851f597a5bef1a8cc73e81d9d9ca2852f0e4d9ab60
SHA51264b893c00033625ddebdba3e296c30f71d6c54a9f0ddbee81df999a810c0f6fa56703218a3fe2877952567678392a6fe623075fd4fccb182b2448ce3f963d682
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD5252c6b4b8afc79f7e732412337cb1086
SHA1634fd6ac900fb5962132fef10278c4cd636f39ba
SHA25661e7eb2512ee01eb7be94a5198618ab2075d997e02abb3e70811efde87201b5a
SHA5129cb9b3d54867d493be009d57e3b2f7eff1fae5681989f3634d86b49af001f3016c6395ebb5a0bfa631c0570d583f51e47c1375329d5e564111a57f4de37f0d22
-
Filesize
195B
MD50e417e877bd5c8199b01eedc470cc36a
SHA1881a53b8c39d03868c2754219e4e6516c671cb48
SHA256cdac1dc24c9f32f6b771d3e8b7578c46b7bf8638629067d3563f58e2f7110b2a
SHA5120d84c8457eeacf4bd48ee15e63d132d209bcc9327492fbbdfab44a287a90bf30c222a79a3aba278dd82bb20758e535997443f4a77aac127f099f96d3caf81257
-
Filesize
195B
MD5a1988363623e86a99ede91e67464abb8
SHA1380e087eafade61df1fefcb6c16a1362037f8f1f
SHA256af12836125fd3115e2edf434a87e2bea9901054f7c12039dcb192433f34c7fd6
SHA512361a23ccd078361f31e4a6445f2ba522a56c8cb3b8960e901c5fb66057e1ca83d5e657cc16e4c54e4ca2604cd996a1133d24aefffea32a95ae721279ddcc9376
-
Filesize
195B
MD5d045137a424ccb8d0b54fc3b93f20044
SHA1295c96040aad297b5f5922dd2ca9e741b9bfb3d8
SHA25690b3053a328240c8513253dfc8e984afb046dfc95ad70c0ae7ba90f946bd07a6
SHA5126e38a5073d4b5d703d64863941d0e6c3cf46e192d7a120758c23b69ad74204984cb51f666c963bd5b635dadb36fafeb578b92fd512ce79d8b5a5ab74c8578e5e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD51a2ae90de296daced564ba2dec078237
SHA1c77f16c5cce256f10692f6391bca89960dc1b9cf
SHA256477f9e1a3459d7ea0c0cb24b98f2ee0343f8055b59e9446707224fab825d5b0e
SHA512f05a6e2b253e27aaefc69f06781de1e0791f63364a4bdcd2813fddaedb046feb7989a489d8287ad352ff8e2a156a58efd898cc9bce7f32f4857a1055199869f5
-
Filesize
195B
MD51d75248d59d64a786e4e63c42a4184fb
SHA1f958606233bd499a0bc13fa7bd36f0b452f370ea
SHA25607e467588363bfd036d969e16cb1e3eaf4ffe551c2e176f6707949c3788aafdc
SHA5122db4edaf0e884a7f0a57de1ed2a7b986087743ca9596c01cd93fc17ae303269d79e4606e43e6f43124b60d5f8a010a1faaf07018c10b8c51f2b990df4e19b084
-
Filesize
195B
MD5ddd937cd4ffb0ae2515f70ee069866b3
SHA12d1846361915b9fa143c4bd1f1e0574c2168b2ea
SHA25674f794df39e4878ab266b545887d1e2b14748767d4c0327e3915c7a9730d5ba8
SHA512fe032c63ad8e11b37662fedbff68a8ec057f5f79f671b73b6c87632fb0a79427509585cef36ab396fe8849dd31a59f9c8145f7829b7b7ab5b05875526f3b4e2f
-
Filesize
195B
MD55a0ede8b8258212bfc97993a353b9a71
SHA185f4493041cc0b816f35be91da6969fd221cc6be
SHA25683121e1c20319d0d84f7dd8ad0ceae7c7b2f1f4ec004c7b03024e8b91e4275ab
SHA512158726af85278f4b4fe25b1116eadc412ea7dce4653ab92c7e3c6aa0f56b7e00b6f7313781dd50ddde02faf562e0571b00fc6314328349491919979db68caab4
-
Filesize
195B
MD5ac9f74203793c3eada82c2c48b18d15b
SHA1c984fbb792b5cc0d1fb12f95b584235af6967e98
SHA25635448dfd85e8013fdaa118b97303442a3392460f654f12149b885a428aae89dd
SHA5125740730ad6aaf5a26e48eb5940ae150198c3a413a3c6109cdd84dca7107348798760ba35ab724a661e28dae1f9fdcbb93de7635a9aaf8a13e4fd2060df500c91
-
Filesize
195B
MD5b078ff734edc6316f7814e41d0a0ea9e
SHA1eb23032ff8e677de6b27b84044d0595156a937a7
SHA256c64d8fbfba103a792936ba67c908022078ea24582f3666fdc78e502f384bb56a
SHA512689492ab2ef1b9990d93fd8f6a4f704d1de7658133d87f4e14b6df037ffec62aa9b1d2162bc6791fbe2ec20312b2d4383dc5a93beda0c7956dd60ebf6b45ed7f
-
Filesize
7KB
MD5c9ba92bab04ac94b044e5e1dae602b35
SHA11baf55f12dfa3857d8a37772ad477bb3920b1a26
SHA256af55cf97008da612af6ce1880819935279351236a1cf4ca59d10442d14bfd75d
SHA512634a52026d9bfd69802479611ffb68b450917277814be15227ea98dc21213a9654bfbbb2fe08b2d085557d489df4d2ec2e03b82bcdc26631d918a748131f8724
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
32KB