Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-12-2024 07:50
General
-
Target
JaffaCakes118_dc624a9ffa1cdd5b4d40980634e65492925ac8ece64fe27c0286afbefe19c2ed.exe
-
Size
1.3MB
-
MD5
50e8df05511bac051bdc1465a5b4def4
-
SHA1
769f9bdee259f9dab87a38e6b183cc1db8a6cc3d
-
SHA256
dc624a9ffa1cdd5b4d40980634e65492925ac8ece64fe27c0286afbefe19c2ed
-
SHA512
e880152fcff870e9ade90820f7b6f9a126f24b73c031d56a6bf52d6ecb304e3bf6a0dac4fee1c60bb68578e3f06311b7a00e7033e85cb55b378d18f700b8c4ed
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 12 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
-
Drops file in Program Files directory 19 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc624a9ffa1cdd5b4d40980634e65492925ac8ece64fe27c0286afbefe19c2ed.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc624a9ffa1cdd5b4d40980634e65492925ac8ece64fe27c0286afbefe19c2ed.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\de-DE\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\taskhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\spoolsv.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\51LR8ZxuJo.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\MSOCache\All Users\powershell.exe"C:\MSOCache\All Users\powershell.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\MSOCache\All Users\powershell.exe"C:\MSOCache\All Users\powershell.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\MSOCache\All Users\powershell.exe"C:\MSOCache\All Users\powershell.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\MSOCache\All Users\powershell.exe"C:\MSOCache\All Users\powershell.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\MSOCache\All Users\powershell.exe"C:\MSOCache\All Users\powershell.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\MSOCache\All Users\powershell.exe"C:\MSOCache\All Users\powershell.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\MSOCache\All Users\powershell.exe"C:\MSOCache\All Users\powershell.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\MSOCache\All Users\powershell.exe"C:\MSOCache\All Users\powershell.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\MSOCache\All Users\powershell.exe"C:\MSOCache\All Users\powershell.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"24⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵
-
-
C:\MSOCache\All Users\powershell.exe"C:\MSOCache\All Users\powershell.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"26⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵
-
-
C:\MSOCache\All Users\powershell.exe"C:\MSOCache\All Users\powershell.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"28⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\fr-FR\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5d516f0553652b1a21c362717a7968ea3
SHA16dfe851c6e7e30a02761aa3ec08a016ba81840f7
SHA256af9dd96d244a85b5d1663aa6a114e8588a45aaf6b15c7201e8fc603fa4bc5304
SHA5129ab0ef1bbec2c908282068a5a7801de480aa6bb58cef20f6f4fec870e9880b27254b08a1b688ab033afbc4417ca4802699ccdf80d0ab41ada61401f14a206189
-
Filesize
342B
MD501bf866fbf56a05502ed6b8f89fb8877
SHA146394a43ee09e09a3daee683e7b5f83d0fec620f
SHA256f0f3277087e0a722d0e4d7a855c7a73578e8acbee9ddd87405f420c21a47f61d
SHA51275c35d3c6f657b0e48e9dc0e8bdbb2c82597dc78c14c205b1a308794375f7df27b44e5566c0fa4f6515aecbf7eb61abe9534a04ee8b5d91346997e7e4d89e9c1
-
Filesize
342B
MD5326a29ec2982f8a15f4093c670621679
SHA1e6bbf1085f40315815fabbfd037ed20938d77443
SHA256a222078432a15bf5a66fe339e3d0c5ca24987cda7be0f066a0e05e553992e8a5
SHA5126141874d3366443fbe8fc143c08b8aa6272b2889968ff2cd249a43b8d05cab64667ad462e44f305f7a35c330660974f514fc5f8957ffd41d4cd528495efef867
-
Filesize
342B
MD5cd4f0a88dc2f624a7c69a8b5b253715b
SHA1e6cf0d585645f4b7224383299ccb529dc3228ca8
SHA256888ce3b667929404408e6b75b0884bf11c74bbdbc7cc0f98b43f0e27f5441f70
SHA5122aa5578f84e288c7776a6f62395839591b4248ea041d68fb6ae550e4d1a3e3ab53858cda4441cb191ac2f618cd15ca603fa94105957b7585975967258a162f94
-
Filesize
342B
MD51e63e786f6f719d9510042780f4e0313
SHA199ccd115738526471d46d4ef698e6ea28bddab71
SHA25681d0cb8ccf2fbc88c6eb0baf322897fd67549b587a99f257771d117768621763
SHA5121d53ac785748f0e8c7b3dfbb2c52bf0db38aa256ec6bef532f956faec84f18bdcedcde579100d1d2a6624f7a0da1e125f84dba8d47bf330536c5a9a529f9f1be
-
Filesize
342B
MD54db6217237cf9fcb731195982dacd123
SHA1e1b505943b19672fde977fa6f1ef5108aa840d83
SHA25696b66b0258a06196458ba66230f8d07cc8eb4516957933d7e7e60a5e8ff4402c
SHA512e1a4d9051d7add36d8d8dde6cc5a8a74dc6e61b13ae147d592cc82ec943d32d602537019c9242e9faf054aaf5b607c28c093b64a53414caef3139957941b8091
-
Filesize
342B
MD5d1da75f6799e816a29470051005e704c
SHA1c3a459584373471302fdeb26114da7c81f7aec92
SHA256b7d52230ce39ff401e7ce507e5c6bcb7325ef323d975f389736db15cb88045e1
SHA512f97f1526e2aaf1a312dc51b719e212c1169bcb3f1775b64e9072f591baa2a0d794f7d4a054665788a1238d27c609384521094818193e1ed25793a8209d93a8b9
-
Filesize
342B
MD51565709f8ed7cc3cb6a3ac9726771c26
SHA1377115ffbbcb1e13d937915c48d9ba4f40d0203a
SHA256a14c391e9356202066e9ac43c95837c74a6be4c68bf5cd50ad5ed62b8c2572b9
SHA512d1f0f437059b17907e2ae66eda58b3c83a32f10ffa39cdfd86b24ea3faf1b13073384ace52b9f48dcc1e4eb87b39c0947b3c30621170cdf3c443f5eeb6812448
-
Filesize
342B
MD5cc437b16531ed1907d9095de4007422a
SHA197ed584474260dced70fd474f468f9d28f4f9898
SHA256941d23eb2cc28b27462808d8a27efc57ff7213ad104469a1880e8081b60ac8fb
SHA5120772b273392569aefc51189d6d51f82fec56aa83c43a188505d8726e43a9c9e34bf8eb39c142fbb73c0159c1300587a9b57083f43ec138696bddfa412fc484d6
-
Filesize
342B
MD54cf68f7eadf0e4b10f757d5ff07cab07
SHA12700e9aabefa9575f548515b1d47a354cad13a1d
SHA256f01e5550f48f7160098770082161793c9f388b6a197a602d99001d1a39d7e2ee
SHA5120562afe32994d5bd67141269a304df1b893941feddee8f5c40bcf9e63d6cb21463189b25f1ea4a0b8e1e3b366f80a024fa08ce1950eed669fd50bdc1417c9c68
-
Filesize
201B
MD521420cfa625e6314f029214c6cef6413
SHA1a064b8f1dfe5812ad10cfffc1e8f7581e3754a13
SHA256f85910200e337bb2f2516255d6a378af8f9ea53863b33151ef5c89f983cad5c1
SHA51266be5c3620da48a6191b03b67983fcdbb47b42a0e26ca6cc57c03dd4e87a1dec1ea5a12347c7cb02ec6043c9c8b1117a724576a0408f2494bd328a715e1726f7
-
Filesize
201B
MD5565484dd03a594ee7762bf23290eec61
SHA1529ae53433e9e41161fe42f85dd1be8484909e4f
SHA2567a7b8838a2fb46aed61179955b4b04a11a010b7e448bb9a209bca9197c8339df
SHA51285de07a8875ed18f73bd81b71d66e9d118d9e1a70368c4f9487f8d3c7dbf2ed6f409d44e5ce6eb9bef80c66a24cfe22230dbccc6b3f7a05ea4f82ecff910da25
-
Filesize
201B
MD518556368e60d675240f13c601d7371c6
SHA1d03d9e66602cd972a46a514e57a186bd3115d955
SHA25654090fd84bcc72590880de59637df58a1f3e3ccc1b01d2f5355f4c7c36dacbe9
SHA512a98ccfb35807f1f35744c23d06ad861b979b5e8a708ba0397f0c43fa46a212fc4adcdc672c7a284dd9cb97ea8021e659dcd7a054a0e31cb69f9ce2463387f507
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
201B
MD530bbbcd76d326211b1e0c96adc1468d0
SHA133c9db9811c4ff7b46522f5d2f654f5693ff0399
SHA256776d7664182636d70aad896565e993a52f16ef2ceccfae5336cf5a266cea708a
SHA5129768dc38dcf3dd7e5fa758fc56a40cf721b016e899d677d1d6d40e28461748277c122504e46c52c45be72d19c5dc437edb43e7b0542e599aa95e2f0b062829d3
-
Filesize
201B
MD52a161febdea8c0d3d5adb0267816ceef
SHA12c25fca35613968b34697dfb8cdc90d7e6327018
SHA25681c49d8d746f4c24653ff3716ccd8c116fb9de67ded6801e2647e6d205c065eb
SHA512cf839b824147d22c900d9d81bd821d15ebb038a30ffb32b29e70a72ffc7f0da8eacc6e14c660fd56e0961bef0f1c0758b67c4db4e5ca7387d934aebb3da13232
-
Filesize
201B
MD5e9e2a879dd8d25d7b91596b349db19d2
SHA1fd9e753e1cf31ca078b9370c138c9ef3c7d0a5a6
SHA25601bc924537ea0482834ebf17aaa4f0d4c53a7f414c8ca69f719c0a174b3f0bd7
SHA51218d771d1b32621645f31fbd48e8770e9dc084f3971a0aa50c67daf9c9442972502a92c286d2ee528b2af8b3e2c2119d42ab05391af98fc3930b08f08a7ba356b
-
Filesize
201B
MD59c1ac1b9b8db0e74306e53ecc31c3a11
SHA1ef15363f966a4e80dab6ace9690aeacbaecee44a
SHA256d4a07ddaad812b9abaddbde26f5903ddc77cf7871f8b5b970a99184f31b177cf
SHA51293a685efb689ee9f3ab444e8148a2c0722996554d49a77f1ac88692b9dad7c52e807adb3d8b63f613af5d2f4a7318856c2155baeb54dda5aea7ea1abae389dd3
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
201B
MD545525ab7c6fe4a5c963ec88c000d2d17
SHA1c7b5d3f70e3fd0e8446715601c6f615fbc9e8d21
SHA256fe4de33c4a2dabf381ea0998b9b038120908aa8696484c651095502979193648
SHA512e5523f98d49746b5cd3d914866c6301fa87cbd1321e72a47ca378b7a540c0bb6175ee955f187c5489c9ff5a1adc3ecea68f8aa086cc1024c05caffa6f347169c
-
Filesize
201B
MD584463f6a5a9d9d121d7c084b82add9c7
SHA146c56d6e6a61f112d7185b29a70d2d4592bf76e6
SHA256fa786dada1e4b929fd98fbd4134bf97bf5714991e0eafe7f96c541b645719bb9
SHA512c818d9c3cc5be0610f4abb863a1174b1debc61465e9825fa76584fa43883a9282994b1264575350836cbf950330b77fc5710969b131b252ec0275d7a071874d3
-
Filesize
201B
MD589594de754635552c028a16db7bc5c75
SHA13cb5510427945e0ec9498c5f93713c050cc6a1cb
SHA256ea3a3f7150597db70898ff1bee1f6368b2d64ac87ee92a9a60b19d9162ac1dd9
SHA5125fe70ae2371c86596383cb002f844cccdedf18764134171111c9c1a0065e1aa44dad0f4c828fa8fd6e1b9562cb55cd7ec1caef22f8fa74694c1cd6e8d04d6c4c
-
Filesize
201B
MD5199b4d6d503527ae4a29c46061fea96b
SHA11f6ce601de668eb516b45bc8c32eec59706e498e
SHA256cf54fbb94a1db2150ec679617c8de0bdcfe8cd106cb60361031aed234b04b223
SHA512038dda80dd87ff233b020f6237652f87d98c19d82133552bab140d067a4c33bf682192878cf0789a888604e45288f5176f823af917dd995f655f306ce6d9fb3a
-
Filesize
201B
MD5a6f51b8599a777a599c3c0516ceb6392
SHA1c63ce2c9abed3ed01530e33f4257b7f79b60648b
SHA256813a094f2044d2becc4605cb5881bb60c027fb79587f9425418e40eae5b2d9b6
SHA512b7be686caa06f2e59a0feae05b78bf9cb714700b28e17c0ff3d1bac3191b348fb6241501908c44b46779dd7a4bd55ff71601e77d35a6f6497513778b0295e97e
-
Filesize
7KB
MD5a657c13315a5ad4bacd593f746f9f567
SHA117cc64d81a5c3734a28228af21d18d144105b08b
SHA256314ab050270c7030ffd9202f2f1968460dc9ce88c977b2cc824cf3c6d3379c1f
SHA512755e2ef25a688b50ff21a4b78e0e9f8f4340b6749084ba98ad7699ca8dba0408471431f54e32e4d1286ab9b4c82b1eb7cdefff42fc08e771de46c9a9ed3aeb3c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
1.1MB
-
Filesize
1.1MB