Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-12-2024 07:10
General
-
Target
JaffaCakes118_0136482f6cf9dcac53ee46773d2931b47a4d771defaf6f8c31c25e472e8efdf4.exe
-
Size
1.3MB
-
MD5
57eaa9c4d117c8e89480d176f27a4094
-
SHA1
72e7458be801a9d6eb06b9c03be7eb23311e08b2
-
SHA256
0136482f6cf9dcac53ee46773d2931b47a4d771defaf6f8c31c25e472e8efdf4
-
SHA512
a3aa6d9ad5ab1321f72bed788825659c579f7fc1698b27dcad408348b6b66c787be27844a6c337479be4318141ffa92f70bb5a3d6c159ba03292a614be0c771e
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 21 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0136482f6cf9dcac53ee46773d2931b47a4d771defaf6f8c31c25e472e8efdf4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0136482f6cf9dcac53ee46773d2931b47a4d771defaf6f8c31c25e472e8efdf4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"7⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"9⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"11⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"13⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"15⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"17⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\schtasks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dwm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\lsass.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ELS\Transliteration\lsass.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Globalization\ELS\Transliteration\lsass.exe"C:\Windows\Globalization\ELS\Transliteration\lsass.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\providercommon\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\providercommon\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ELS\Transliteration\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ELS\Transliteration\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5c498996036cd4a8b32c0a72e290ffe60
SHA1149b9d34274c5e5c3f3da6f4bd1ab76391c16dd8
SHA2561c94544b4d195d12bf2a5b930895a0d988d9e1edba1a520d2280c3c11a128180
SHA512d767995683dff172ec18a55d2fca5b73adf6e98e9e0ac3c4ff0d883fdf78c657db78911f6171a8e3c32a176a7a2bec456720a93b57d798099bd98123e5841012
-
Filesize
342B
MD5657d5d396ada689876d443aa90ea4c5b
SHA1ffa126da169aadaf7963a0d45c31292170f56032
SHA256fca94f56bdf8c8ba2e68f6733e55df3c137bd562a68c812c1052ca7e3cefa63d
SHA512192363e8c2548ed972a12e974f1b358d837ed7f86b9a415ff5f4605cafe8a7c0f445b08a2f32a2e0ad2be7236967f3fb80605904544d23490a154b4555b137ec
-
Filesize
342B
MD5129d90848117242065e39b7fac31ef2d
SHA17bde7eb72a9bbbe54a9de72425262bb2161a238e
SHA256a339463bfabe6da08a2eb4685ca3ca7058bac1da407f11acb780c684598be4ae
SHA5125ec850c0ab637c709254d63e1fd07eae8045385c2d9c5a0a4cc64402de7c69635d2c971b7dd17a39b5436b77da734883b02f928df88c680a43702a09b38db0b2
-
Filesize
342B
MD540f0b91b9beb7411819a1547d6aecdb7
SHA13f935bc7604660237d2135076598aa4a867aad3a
SHA25639ff3a1a38065f3b779d627756f9fd1e6b19cc1ad1e9eac0780f205dd5b85efd
SHA5120782c3e6d018ac853b01e85ffa42bd499b9740e02d3637d518c031366809b0bb3467a757d16145e3cc20e34f6a0225014a75efd07b68f1722e75d6dadae1ecd7
-
Filesize
342B
MD5b5237799e5dafd1eb1ac876e09ce68a2
SHA136cb70ac2808cd47c3a663e9ffe7f2f23e8b8f6c
SHA2566b0b5f4422921dfafe5d65c307b8718e352d0176e62b6ca69526b031b02d31f9
SHA512504d41aea534f1eac515764ad2a74fa186d29aca82f96f031e2ef02504d1bf5592b2ccf45c7a9449b38b8deed8aae1efb35117bd2e984a998f0b86494f39c699
-
Filesize
342B
MD5e9f37f2939e7635ad5f0c6246deeaf23
SHA1e3b69a5a881f247ec085fe0c1c32001ce075dc90
SHA256063142cfb1b71cdeac7782f9be7da85fba40b72d821bb190b59f1c09559adf50
SHA5126f9415682415b75d3115a7a37d8b528bb88b711be0d41e4c5219332b1eb6664f3b3588821a7064f6e8ade56bff3d2fa27490e955a7735b54e1f2d776aa105072
-
Filesize
342B
MD567cf4a93a36626ad6517eb4ed75bd48b
SHA1a9815e90d3a1a98640058ebd0c0fbb3ff546203c
SHA25665160edd78aa253cc08021d39d43fd775dd0e393f93b772ebe90987b6f5d1cea
SHA51203134c00948e30e9409b0fd409732eda69e1942b012c0d9481877a0f41d1529adcf26159aa7a8e26fea26a6e4f8232c7f1e36d4a9c5563e6d8511453646e2903
-
Filesize
342B
MD5edd06fb561494dc2ceda9dd45c71cb48
SHA19de0956c95018b0df91beece08ff836be753d7c9
SHA256213adff1324d5e93b570e26f0e8e9bba7a4088cadebb8d4cfef42a11be960437
SHA512097cf8bc3ecd864d7e41efcb4641ceb41f4f6cf134f1629637f73f780496ce3a55441ede678c9ae85642ca574900f47493bc0302dbac641ae59cd39ca798058c
-
Filesize
342B
MD5a3630f219bee4366403ce2a9483b01d5
SHA16d6a36565480428ce8af47538c27d5c4b5d2ce0e
SHA25680cf1d7b9a259dffa951c2cf2617e17e04a2ea5b7c77d53dd12a600bfc9cc5de
SHA5127d8a19543bbbbd2dd4a792f9f73733bd90f9d945ee0d6221558730b7de3fea1e0abde2eb7004757e5318374b1c06a6605d5de6863d4b045149f9c85498f918f4
-
Filesize
197B
MD5514ec01d3fe71e21fa775c7ba33c9b0a
SHA13e942255d4146b28871b531b7ab9ab5224d1ee27
SHA256e1c75105f7b40f3ce126f6e5977d9a26f54352f5cb288a7b8dc4f6116463b215
SHA5120e81314f8800e94cd71dd1b0cf7a08dbd5b6eadd4fc53181f25fac673b816177f154e872349ff9b367f9001a004f229523877e465ab8c56634f135ee49ba8b0d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
197B
MD580da8a2449a1e48f73ad8274ffb0bdd7
SHA1737dc6e4ded66d52c4a62b5176217c5ed40b1fb1
SHA25641a994fe0e0ff326918307888a7e558c709d441d2e57568f86b4268aae575773
SHA512e8077ff86878cfdab4a1dc6cb8287b2317eeebbd458cdbb0f041df1c9881ed523f3ac6d8a095be4f18b5e2404a071c50a65f2af8683ffabf6bffa866eca1d56f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
197B
MD58a126dfa59fa9046132d91b094c74720
SHA19d46857f52b5da21e175378c73c6d6ee8468f2ad
SHA256a4febe0594b277f8b8909afd17908593509d01f573eedea36bb9cd23e9f3a843
SHA5120b081f931b0b199f5f678ad0dd67f494c215372fe1c169179c8536f8e547139d934377215968f9689b1f27a62d09ad1710bacf5a2c9af8c89ed9dcd820f9f337
-
Filesize
197B
MD56e83071e288e24c833fadfeffa3882a2
SHA18b672e4b888c617a3d16e894a24eb7c8e6551c3f
SHA25637bff32e8574e091829e25722c32bcd6d6dcc6db76b6e4d288f9eac414adb650
SHA512028c0a2a884f72c1dca2b1ea83b5e48977a3e07ec39d70f1ac21dd6406f420440074bfdbb34e2f90021f956cab73be8dd82c6f0c9b418449b165510f724da27b
-
Filesize
197B
MD54ca2baf18a1b64deb35f62bb6e989343
SHA1797c7759e5ac884bbea47402a4ae6876f1393aff
SHA256df0b761b5d718c64a3a4e50b432ac3a40634da8df9dd3c1e5d102da006fcf7ce
SHA5125a9e40c7df8d0141066a54ab3e1913d04048ac5fae835e3d2da4a7eab585981a46a3193e816c59c8b89b7346bdf66450f69dc4f404b7e99fdfde07e01d5db19c
-
Filesize
197B
MD5fe82482045842046d2ede13164cb31c0
SHA1eff45707b11569e54123ffe34fe766b79521226e
SHA256c8cfe021c2b484aacc4a30bc2d4be86765fe54474e0d1c572652ab8ec9a1a066
SHA5122318d9ae19836de5c6a2f06efea6070af50cfb80894eb7d0454045f2b2d6cd701cc8d0bc519dffbc167242dfbf69992ec7fc4ca7f707c0da346e73ef873599b4
-
Filesize
197B
MD5f24b5ee7f20af0f880ffb7b391e6cc7d
SHA1bb212239bf364e513e26061f5577ba7ae594d1a5
SHA2564b04a0fc991bd2bdb0b1a1bc41b8f22340f7cb9152c36063d280f81731e4406e
SHA51211c58d9841c2f8a4ea99bdc03a3839e012009ed5cca9234af193457cf4c112ea371eceb084be1d11e7a52d72f14a1bdc1aa4828d09e31ed89fd27d7ba8ff0c23
-
Filesize
197B
MD5ffe9aa46fbf946ff55e9a09567898ec4
SHA1aab3795e0e6febd0c953ae231efa3d37b5741792
SHA256c3fba70ce30d9b121b8074d01d17ec157ccc28efee824da2956f5ecedf0b26be
SHA5120c7e1da4af66aab3fa4d93c2a5e2b00a95823631e95dbd5036cc46f31f9a892aeb37c7d6ec322de18145a1688f142001376e9d27c0d894d06b2d118ae7e8eb2f
-
Filesize
197B
MD51ae08bf9a6015b791c32b7914394d0c8
SHA1e8dae49eee5bb88f3d96f6e96c127be8c41719b3
SHA25625aede359fa91d78a133ee1483e835628c2aed629230375fd5e6b5c9a0dc41e4
SHA5127ab4737e90b70f5b9051ce8bc286e776c34b8c04eae845ab8aa6e99ebb2028d3c5004b8ccffa9debfe1627b5e03ca99ac2cfb414837dd4c973a3255a15c8a81d
-
Filesize
197B
MD57963707c93752a435aca8148129e5db8
SHA115ba3284c6167286e28b298e5952e82b65b81cfe
SHA256d3d2b159f0f7be989b5c93e79197486245fd0d176a91a956399cb8536078b4e9
SHA512408ec54a3731d1420317e769ce38dadae417b2cb784cfd82f16cce5d9048b54064b500bfd2da50a4f7fbdbe2d7cf2e631193a47a2b56f00b304566b66f87ded5
-
Filesize
7KB
MD5e9200a34c3262d74ae034df6cb7d4947
SHA180fb4252e18d5db99801659c899647731065a728
SHA25659591473406bd386257e54d59ae70c6503603a4e94ba9905b912d6bbd334fd25
SHA512096d7e14d204fafefa99d1e0885b4df85566ca75841a234ce553f35cea0cc69394914bf9e34e6e37b0a7b3cf29b7bc9874e25326fc45bb1fd998fd58b5190c92
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB