Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-12-2024 05:34
General
-
Target
JaffaCakes118_7c4bf30b2b629443fe82b13d0967256df330970de29a5c1d288457bbdade8d0c.exe
-
Size
1.3MB
-
MD5
aab25d785c73c3226169d35df1978db4
-
SHA1
115205d044653e35e04dda210f6f2d6d523b78be
-
SHA256
7c4bf30b2b629443fe82b13d0967256df330970de29a5c1d288457bbdade8d0c
-
SHA512
a41fec43e597689f2000c863379a2df52f3e4c68935ce26948bc146da52af17397fbe5ac576d139890b3ecbd4f5c19a6938a5846bbfb588d6e73aa6c2119f26b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 6 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c4bf30b2b629443fe82b13d0967256df330970de29a5c1d288457bbdade8d0c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c4bf30b2b629443fe82b13d0967256df330970de29a5c1d288457bbdade8d0c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ja-JP\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\fr-FR\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\dtplugin\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat"24⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\ja-JP\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\System\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\actionqueue\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\actionqueue\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Themes\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\fr-FR\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\fr-FR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD583364024a44fbad010e4b4622932c134
SHA19a7f6ef07babeea6772e96d025ce5ab5501d01a9
SHA256c349268c3015c4b9de72b779b2a31b572e33af6ffeb03a336cf959e307a1877a
SHA512f91b94d8592647377c6aa29dacbd2a82430e9a8df6da136c9c064f860213d4a1e7c30805acf45f81067c814903c921d866c66c54e93c14b3ddf5a68b0aa7ce26
-
Filesize
342B
MD578961e4a42e7abc6a80726e9cc6559c2
SHA1b410954694586fbcbcbefd1b369dfbfaf22f728c
SHA256efa889dbd6f2638b03aaa5877f8a19ce83ef3a7d96d3d2a1500671dab1509524
SHA512c6bc254f6d6278baa8addadb98c31902b4a191083cec5d685b37f09cba7b26fe2795281626711e776cf6856963cb699d587070053f0668fda53501078a4137d7
-
Filesize
342B
MD51dd37e8ab33fdcbd92358c75d968f101
SHA1cb865dea86512a80efccdcf126f81defbe7e00ff
SHA256aec5d75bf0ce28a55ca8725b44c943843145d68de49872a93ef789c50568a1b7
SHA51275cccc49420d7f8b99e51c3e7e52986bdc493fb22a9418924a24a137c93a931e5d040a903d2e27096981a5bdceecf4c58885fe9e0c3daf5b5a9f4258e70b6a78
-
Filesize
342B
MD51dca10af0bc4d2947075fb52a5e4eaa5
SHA1138666fc454cd6d409f26b1bc56b90cc32bb7275
SHA2567d9f96bc265108bc73f0b2ea1accc657b71fbff96b275aad2ca9181750100794
SHA5128599a8cba7b3d4dd4cf06b1b03116a0787ec581b922ff674195c491ab75eb1ac08d866647ed1e512e50c9f807370f3f944ba55440f3635f8a89c8818c1b2caa9
-
Filesize
342B
MD5e2e794d53b7cc0aafce2c1481f0d0d05
SHA149cb2e13fb6003d66761d5bf898981a209eb3449
SHA2561ca947ae969e129c0f0a50ada747e4e83870ea55891d3bc787f1e84815c0e933
SHA5124aba669ed030a42e28197527d2741032986a4feb56f6e1f979e92d0dda36008c38838aa6c5a1f727eb94cecc193adfbba956c59b97d43d6f1c6c1dc1a8676e70
-
Filesize
342B
MD5c707ad9f9989a69960f61a0f48efbc84
SHA14607bb12db184ce53227c3faf4a106d5e1419b76
SHA256ffc2465088152578b812368b4f5cb6ab624c74c8dad212c9f4751238fb6b23f4
SHA512d036875f97df6ddd5bd77487579e3e75fd9ed69b96a00a2315c8f4505fb80dca33065f85f15520ca18d11e9c9abba3e924aeb0da9323f879c564b04d4da88406
-
Filesize
342B
MD5168e52e54445651222c9b3dd37579c54
SHA1348a1a0cdc385d37b14483e266fec95e88171343
SHA2567343ab806b01665da501150c5bcfc7a77f71c6e9d0443604be68afd3f6dc6d9b
SHA5123d09f384916680cc5bcfb43cf8b15e88ba1fb9403efe330d463c0bce261fd5a6931c16ee5440abb97e93eb20e7332e59fbc7916cdb7118dd0a5374b2851b6b1f
-
Filesize
342B
MD5a47534e63930018223cbd9a0501a4702
SHA1f2b0123461a9fbed976e4088dfe69b8d40e25b44
SHA256cd54bc0cb734532ac28c86bf6f9232635f67d6cb7ed9a61c6b8fb836ba0ff56e
SHA51267667486b23c67c966bd3f28179d0681933280af236d4169562d7670e1d27c11492420afaf1cc713aa3d2719df56a631c8f8a7be3720a8ac325138a1d6f77577
-
Filesize
342B
MD5068eeb33872997f5c8768c2050ca8d13
SHA1c22cdcd7dae76e6aa500fb6b2360689d3d71fd0a
SHA2566e71f012277593547089bc1abce8e2eaa5807b0140eecffc429e8efa4fca3b85
SHA5126aed45f90579e656b41355f331c5af1b2e5c5ae005a8649066b0f635ce36b85dab21e84a734281af794a7aa0f58b4da70e8553341000acb8157a7d31fa23189f
-
Filesize
239B
MD598a05c75b9580dc87a00ec8ed35b08f5
SHA10cd9843911023e23384dae3540a8ff99373166f7
SHA25611971d0ecad87693d8aab93deaf5cbd7fa1eeec8058579d90137ec59246f7d03
SHA512604da239a159676c3609c37ab48f7cd5c45ff368bccf627b2f66a817999bb66dbbb9914f6ea7105aaf09e7ae2f511892a306428affcb1b2fb49bd56444f950f4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
239B
MD51df84b50382dfc23e34f02a82720036d
SHA18ca3a1a9d7269d082a6fa0b8c6e2d8e2dd49b663
SHA256ede2a6088aa1f99c60586de5a55aaf801e804aef8e96d0f5efa553910cb5772b
SHA512903bb550aa0b0864911963bc9ae99f624d479aba342abbc66b6244f0108fe2bfc2e948c560fef9784512dcad1c421e69e07525fe7e172f407c66a4611203ef16
-
Filesize
239B
MD5421a5c1a8d224c365fa6176f023732b6
SHA139ca1126a31771b135bacf479a8f67ed57d43713
SHA2569e294afd093f207cc36126d12c4febd209732c28a16801df7c04240c1933d10d
SHA512f2ad07b9064a6f0d3bbdd636352d69e517df8b3781663ee3eea886a8f023cfd2db552cf740cd53c577dd55deb0a159d16e5bb7da4d742e7b59ecd65de0f2e158
-
Filesize
239B
MD5c8d827eb500f39d71231afff340fed7d
SHA1a5551a039dae5165ce79ed76a918d342b250d6bb
SHA25632c0bb4b4184e8210de13ff1a066e3289197fd81e79654c1233d4b8fa6b030f9
SHA512a569cea8f0135382752f61b713b93f1eebce6c769bed2c908587edcabc7587113e9035ed7b01764e9984113f88cb50999fc4dc6a74545067dceb75a9a1f117d8
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
239B
MD5d2f4526ef0feea0300c0e5d762ae111b
SHA1bea9f01504ef19c376048c3a8d3c2a9bd58b4641
SHA256afd72c04264768b8381a5658b8501daea4a58c1e2d9a68913996c9f394517da3
SHA512284f601b0e0e797ee3652868c7932c59f96f7529cecf934b0ea2bec82017e1eabcf50a2959fbeeb5a4f4d4cb105c1851268b38c6d701b40629c462b65fe52a17
-
Filesize
239B
MD57cdd7d83cc87abe90eedfce5ce7f25a7
SHA149fcad729bb1e5ee91d1c686e81018b27f4605ae
SHA256789727ea40eb8749d417884f90a96d24ab0b73672da43854c2dcec9c65d578f7
SHA51272b5d998348990a2752216d4611582d0b94488d247a815f0e34c9e28ae1ce3e440eb04467d32a94c0d223e815c30cbe41276369a35e12e6635b7e4830a35c463
-
Filesize
239B
MD55ab2fd3ada77632a50c8e87d73d9d750
SHA18135d1d59a994cdc6988ad605fbdeeffe4fe2d3b
SHA2565e04a7d4ac775fcd2a7f469d478975f255aba274bb54cd980080690ae849a111
SHA51281bf468896c03cbdbe0ffe47e20eaa965f3ce23e4dcad65026cad871efb796f25fe39596cd7650dfb31fa642415de4f6790acba5f5a1c2bc8a75356e4ef02cae
-
Filesize
239B
MD548fa8dd8420de94c94c9403ecfaa3042
SHA128ddac4cff42f29d1c6845d194c8d4d29a8941ed
SHA25680478d78d2e8abfb589197edd74ae2651501b6f9f9c99a9cfd06218205b4f42b
SHA512fc5c6b54e8e97452ec5828b84d199b9826aa801fe350b2b1a5700eea7db7ba0e64c7935b9ea2c5e7749e5e3da9119cb564707cc485dc453bc126f81d2bf7c510
-
Filesize
239B
MD5bf0cc7aa4713143ecf3dd0de6493ba66
SHA171d4d43a2710171d0a2d93ef6b8d6d7101889795
SHA2565cc08ba17680e2dbf5dc2b792dec3cbfb8900281a1748fc40c119a1f873f652b
SHA512b21095b10a0693cf29e9b38638fa761e6bdbdcdb2ed6bbf2a4d959ebde1678d9c204dd52bb4173152c972846d244159ad530ef652b2b70d7cbb547f955f1a142
-
Filesize
239B
MD56f20a69be0dd6641f31207ca7c1a1d51
SHA111c7f26cea4279219536c9193d393bd56acf247b
SHA256b101008e44c48b30af88dd235535b7e20ee956a30bcb90f962470556db35fe14
SHA512c55673df78a6418589160d7ca5c719ab2403c7e1d0ae59db855072088d554b62bcaff73c4f261bfff2f348ef40f61d9acc947e826e13b99b13c5eab1043e88c1
-
Filesize
7KB
MD50714977453a7d82f4d885651b642f97e
SHA15fb801f48e1e6541deb5b155cb3199b99d3db2d0
SHA2561f9620b2e477970be9ad4af04e05b8c60bda0928c7742cdf37bcc5760048cee3
SHA512f477a9ba34734f58fa8635ce4f216f990285dbf42a3a9177a969570077e59f890244ca0a6cba0e5268e6fd54ba0ffb1ba69e83cf0369dda5d2734e31aca53f76
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB