Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-12-2024 06:49
General
-
Target
JaffaCakes118_d9d18a4d821150c07a0d09524c4e5fe7ea34a3932f891b382352c237a9794231.exe
-
Size
1.3MB
-
MD5
6a77ded6dfbee7f26edd24c1cd3ef2e4
-
SHA1
68eaeab7239150ca236f70e3f66dc734cc830ac1
-
SHA256
d9d18a4d821150c07a0d09524c4e5fe7ea34a3932f891b382352c237a9794231
-
SHA512
66aaf96fb1e97c6b34fb40d9bb76b6633cb6979c599abc69c0b7bca91b120a3e024fec893561402da8c7d9f9de666c1198ae6047deea76d3dbad9548950a5e03
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9d18a4d821150c07a0d09524c4e5fe7ea34a3932f891b382352c237a9794231.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9d18a4d821150c07a0d09524c4e5fe7ea34a3932f891b382352c237a9794231.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\it-IT\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1ViAyttYMZ.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Windows\IME\it-IT\lsass.exe"C:\Windows\IME\it-IT\lsass.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat"7⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Windows\IME\it-IT\lsass.exe"C:\Windows\IME\it-IT\lsass.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"9⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Windows\IME\it-IT\lsass.exe"C:\Windows\IME\it-IT\lsass.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"11⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Windows\IME\it-IT\lsass.exe"C:\Windows\IME\it-IT\lsass.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"13⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\Windows\IME\it-IT\lsass.exe"C:\Windows\IME\it-IT\lsass.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"15⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\Windows\IME\it-IT\lsass.exe"C:\Windows\IME\it-IT\lsass.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat"17⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\Windows\IME\it-IT\lsass.exe"C:\Windows\IME\it-IT\lsass.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\Windows\IME\it-IT\lsass.exe"C:\Windows\IME\it-IT\lsass.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\Windows\IME\it-IT\lsass.exe"C:\Windows\IME\it-IT\lsass.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\Windows\IME\it-IT\lsass.exe"C:\Windows\IME\it-IT\lsass.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
C:\Windows\IME\it-IT\lsass.exe"C:\Windows\IME\it-IT\lsass.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\it-IT\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\it-IT\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5a3da46c41f3fb0f5495587a28518a228
SHA1712c993eb581c5b2cab604ba4f2d9bde38d22c8a
SHA256e6adf607b521ec058918f09f76dec62e7557cfb191d6c144b9ecd6f609dfe288
SHA512c68c2021d011e678c550c1309defda4a892f027094fa27b6a38dbf24f42e52ca5cb8f4923cedc90a3ccd8055c776ad4ba2a3fabd1ba028b3f6c575f97360406e
-
Filesize
342B
MD5736cb69a6e9b9d562081a8d7f7e917f6
SHA132d0d7cd876243c949836d891b1332edb4ff01bc
SHA256a0a5832c8c391ecdad09d3d538602a1096b7bc494078a7026f8e66534eee9b5f
SHA512d71b2c0de5e5783fb74834ed8c1c3bc374f3b038d468ce8f48c41961d9d82a86b36fdb45641c16f1281f1e1f13d315d5ce8d262fc3381c518ee8d22363595720
-
Filesize
342B
MD5f15285feb607ea9847c14976d87dd1cd
SHA1d6a2ef3a637fa950b34dcc9a737c80b334e4363f
SHA256dca4aaca0e37983db1ad45319717a4acc89feeda6563195c50874c39fe4e14f5
SHA512f9f40e86bfb0f6b40342418151eb31de01012a43a961c257f855ea305e4e47486b9b8787add51234f059841b333b48dc4168b21fefcd2055aa24631b4814a7d2
-
Filesize
342B
MD5dd78d3b8403dbaba122cf4dc5162abc9
SHA108e0f892f266c229a599c3c5c5069077339fea2b
SHA2561538fee6401d374bcea11fc1fc5f8e99f88881f08180bee13645c8cb26192f00
SHA51200d28058e4bbac56c8362f2338e40cd4c05ca63919f15ef4f6772a371552711822258daafb0fc25815e98ca7c4ea24ba5ac77586f2489a7c15e4028aa59f85ed
-
Filesize
342B
MD5134ba7d467666492297f16d0c7b207ea
SHA178cac783dca90ddc5605d150c9b66ce4d45593b0
SHA2563232e87f94d232c0d26522cf26f81dd96ea421f3b881bdd28fff6e3a77d363f9
SHA512198395ffe7b15cce00a392dc4008958ef0cc916baccf6ab1c1306c7bd73e7598dfa86b9f1dc24ffed53615408c4f903bd7d25914c59b59e289008595b04f3df4
-
Filesize
342B
MD5e2bc0f1953eb5efcdc8e1975156271ed
SHA1fefe0fd4e4446dd8903412cb67d73cb4f9e96e26
SHA256e7e00ea305474ec527f748a2697601ef5419b8756318f703ef2982dcc07bff3f
SHA5122b8c2f579fd2f2fb435be2b92efefc374a8565175d178a7512c005e1f4c61f026414976d24b38ce07cf94fafd1f1890072de69e594133539b762cc66359b570f
-
Filesize
342B
MD5058b18c50feafd965950507f904f90f2
SHA15107598db0a0cb9605d15472ee2a4f6c9dcbcac6
SHA2560fbdc459d9409c6ec3977016f597e7f19d736da778be56ad41cf4f8f53bb3eea
SHA51257adaa03a199484b426ca59daa987f796daa6c564e87fd870417c6dab1e4c1fe6b43c3f5c942275487f43d908bcf1b0dea5b1ded67542bd047435d85b4088787
-
Filesize
342B
MD5399a8c7d4368decaa36e670cb9f5fd30
SHA1719420ed7c7603f3b0d09c8a943224a21d0a5507
SHA25663cea2e47bfe8037a1a10787dbd465a8fdcfc1872d07fbc3c29f38722d874c35
SHA51235f0c0321e94efec409dcf0b54e6cd31247a36c3f74888afa9e9f88054c7d52664d4b34d7aa0146e6641f178c553d35e6f34109fdd4e4a92419271d4225bc8f0
-
Filesize
342B
MD5983f5d7179d4e103d4d6a3b9f0cf34a2
SHA11106ddeb55014cdf6ed6db8b0e7592d546a2a2a8
SHA25635ed7047719c2454730554070ae3a067cd481e512f5644effd2d9fd5d901e82b
SHA5122bf3fb09248e1953f89f794a263cb4dc4150b77dd4f208acef67dd36d501d2a89b9a32291f6cd0a73c264203de1a25435b446dddb309d9b0a70516083271012b
-
Filesize
195B
MD545ee2a8af3d10d45b7ad2464968acdff
SHA18efcaa8ae7b520ab3cbcd9a6d1b40582cc8e2e89
SHA25630ac5f57e23c736c075f30dc66cec725e960a458c05a3f94d837daab99b9d07c
SHA512f88d21967d4de8f84a7bbf0edcfa855569da42090c5304201e30bc964e36ae259e1f4f70191b146f4515e5b9abcbe93b0def695b9b1965f7f738be1a106eb1df
-
Filesize
195B
MD5e8dd29fa3e0e00cceba19f477c90282d
SHA1dcbf5968d1c871e42134984c2045512ec2ee2db8
SHA2561e382dd2ca3ef7835b998391a8204c879fc5ef537778d6d45c78cbe9dccd7105
SHA512382983cd4c5eb3355120cd4b90beb588477a5aa5be9089cdfa02feb03552ea3e5b4a20bbdf2d6668aad0cebdc5965bdcd971b95b27bef2e98cfb754c021f504a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD55242da481d3bf066aab6bbe237a80c4a
SHA14917fd205c6b572ea745dfc9a3d6778f32a855a5
SHA256b4891462cd0498921a86733146d411892430089ece44a2c4567bb946813cd0f7
SHA512dc8760ac4976446bd2185719d0c60c100db4356104a324f15e82756b66afa14ad0ac5c13a51bb5ce2aa5111c1d1b4927abaa79dda4371a75e6219fd32433a379
-
Filesize
195B
MD570ac68f6fc163687c70c4cd212bb4e17
SHA1b34fc3fc6c56252c768759003be4aa3dd50d2d48
SHA256e02e7dfc63945075fc28d3ccdf1fc89264e0f6cb0b93235e0f1155a179b3ac05
SHA5120458ed72608972e5ea3b834b0f2b7e4aa3a1fd8755ba0a00fdadcd9e973abcf6cd9d89a7a34b651cefe4c3d6b8270e9de55fdc8377df89f273812209d5b439cc
-
Filesize
195B
MD5c7bdd24b4997b64eb8d5db9de8fd699b
SHA13bc2e4c0dceb3e535717b080089f72a62f93fb8d
SHA256e35226ccb6ec7a16a8518ba64e76ae1c59cd3530352d77eec30e2380af1c758b
SHA512b1acc160dae9f727e68f470f2b64a54e86f6bce1a00afe682db682979c4d198eccf71c7e6feb2b47bbc9277c88742aa064801b26fd4e3b328428f68c19bf4fbd
-
Filesize
195B
MD5a4c4e599164312d556a14ca672712de3
SHA147793f089fd7141a18a4f91acd9cce07029864b2
SHA2562b0f0354cf81c4f39d7d20ca4a6d759fbcc5cb90961e3bac4157b7243e5d327e
SHA5122514ee6c69e882507084f7989c3a49e5840d7c08414b9a4baae31e38789fa3a70ebde6e70c1d6cf73e29e7bd8c4a75ab0e42278af02c1c6786290b1abfa33d8f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD55789cf3925f44a22de8e1099246fa07d
SHA148fcdad8b9616c41b55087e07a219582bdb97a9d
SHA25627cb58fda883c226f24270503702bc295e75b4254b718aba72773095be88cd9c
SHA512741679e85ee538875189a6473a56eee1a6d01e0861c1b089c9abb73b1fe00aec26023c4f11afdcb522c563454716b1072468c07854a1790f1263f1863e88ae4b
-
Filesize
195B
MD56c0c8fbe5b06d2e80ad3861d2f79d919
SHA194542eed45c77b7ee90457134459d6c3be1fb0a7
SHA256ffcf7cbf5119e905d5583dc17bd29277fe37e33c1c0cb53c109ce9dbb135ba5f
SHA512eb9cef5218c202f11c7b791de7dca680b32628a2a3055e17ec6a64324285d6360319eb81c98db7b7e99b5b131918e23c3a2ba25dbd320630ad8b6dd24beab694
-
Filesize
195B
MD5a3e724b266722f449b95254322a43b35
SHA194217c9ed4a01ac165d33598fa9b3024a3edf898
SHA256ca1bcbf6358cfb6c3b99c5212186fc37c994a466c4c9e04e7edf9dccc1311174
SHA512d9e29bbfee72461898bddedbbfa32dab45e8dc6777848d4ecfb5deed3a06dedd1733bdd8a3781ab03e96b7d8dc621ac3da39d1d7d1e89deefbe9448de2c4f1ce
-
Filesize
195B
MD5999c0caa1d5b4a79b8e1210eda2e26b7
SHA16166f304d9e1a569f97731568d832f2639e598a1
SHA25645cc6919d76ee08806d652053d8904c9924316b71df8ac1f9102cb61b3cb8fd0
SHA5128cf3ec7c3b9a0a6bca9d3644700f93167565d3800d10ef6de69a7b68390e71ee3be6ba58a504be469045f2acdc1b552d87b78e2f697558fd473f91b1b04c687e
-
Filesize
195B
MD53dc934d3f62b8d2455bdc635b1297f46
SHA1640775ee6671afd6de6ae91aaef414494fcdad0d
SHA2562b157340c45c5c8ef2a101f9242a795b6364711679bcec4fedd0d7509d0a9a07
SHA5125a415bc778e704e3a93887dceafed759fc99aa8e027e1de4a589d60074b3b10b15170bb3d4403880eea3a2b84dd7e3eb32e3da3499c997399fc2b78906e54245
-
Filesize
7KB
MD5a3e3c07e7e02831c65c732d3d527972b
SHA1a2442f518e87f18290256ca6efbd2ac4fecc01f0
SHA256b5deab6b7e72f49f9d05930eb1347c92aff393d121ca99631ae4a54ec267b986
SHA5120f8ece3a7c9a91f259061eafeb90f4e8fedfe1cf833e30fe2f557f452b405736436b96b16466428da4b3321367ba791632fb1b7079d92e32fbd7e99532a94ad1
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
32KB