Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-12-2024 08:03
General
-
Target
JaffaCakes118_1b80863be5527840c7421df1b931f12204b587a9a59600a1f4c44985f395ee81.exe
-
Size
1.3MB
-
MD5
ef2d84293582ab9fe44dd725612367ce
-
SHA1
6b928e8f8bfe708e19d60b27a12d7ff33b4d8c89
-
SHA256
1b80863be5527840c7421df1b931f12204b587a9a59600a1f4c44985f395ee81
-
SHA512
28141311608214f674e6a31eb10f0ccaafe4a0a29ed52563d342a4007726e5eba4ea75c2136f03d98df99432941c288922919cc873074a8634b84c9059fe16b0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 5 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1b80863be5527840c7421df1b931f12204b587a9a59600a1f4c44985f395ee81.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1b80863be5527840c7421df1b931f12204b587a9a59600a1f4c44985f395ee81.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\dtplugin\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\sd\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"24⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5971673ab394c0339475d104cf808980f
SHA1707059381a4223542373bb516ed2b9d1e922ef86
SHA2563b60db3b0c8b9eed0a88f250a1ea8b7139647c9a4b64da81c7bdb40cb970c19c
SHA51222dcc04f8e9d86b95bdb4abc752e12a3466cd8fdf341d51c294a765251669fbd38d09b1be1b1fdbca55ff760e1066d364b67108bacff9050a8cc2bdf6a143dce
-
Filesize
342B
MD5d5a7d35a11f31ab1f7443d7d57d17208
SHA1d2c6389caff4c8426e7c1d9355cc7cc7793d7aff
SHA25624d3d409ba91379ec89e2cab532192c100679a84698e286e92b2687798ffb276
SHA512bf4925f4566413918c089ec1aa241f76e03a51b15b75f288e6e3867486dd8731235c0809c8877c1a0b442b77651a65c832fe3f4bdcebaf0af0e51bfa7c6e71a0
-
Filesize
342B
MD5ee4292ba52eed29984ad96babdbd6364
SHA1a6b6bd3fc274f8b906898781ea693518ea798aec
SHA2562bb925b4ca8fb8022a00711bc87d3107c0cdcf9c4a855306248e6cef1f795ccc
SHA512b04939d0a86ccb098216c1791a9c8228e63527f5c3ba8206068013fd01cf0be84c8be06f3ab7c400eded46a653b3e6d0ef60fafb7b56c0c41f49541541006099
-
Filesize
342B
MD5ca33ebf8b56ae3cbfe4a5b8a0b25b67c
SHA18818c3190f8cff7891be2e7cb7b53dce3f0fba68
SHA256f8496fc8383754abd21f8a0ec0cdcc094bd16a8d97575581bbafc7dc97d252c2
SHA512a67b837c415228ddefa44ad9a987dd8dc7509331cded9afef89a95be5136aff740dc45b76b7766d85b5e6945dca84518637215c83f7e30bacd5adccf95cbb8fa
-
Filesize
342B
MD5a1c19bdac1904015c495fda66e6d4836
SHA1337535d6be3ee8ee63dd4b7c34f04a6870491756
SHA25654825934c73c7cacb78d00672f7b13ea1f9e8935539a93168cddaf6586e1272d
SHA512be5eba5cc78df51c893ede82e240de0b14616b327670acfd375e81fc36ef74a67e7f0906e5b304fbf0c31ce9d2a6b21e58d67f020f382ffc444408e001be0e15
-
Filesize
342B
MD5267398aafc0d579221caf5b0eaf4e618
SHA1eecd50104509c96062c12cb7fcd7c721aea72110
SHA256f88625f7905db29cbc269ca893dcdc9bd2d5b431c181ad6e26bc61c2668f46aa
SHA512d962a7d396ac72e5848e69f1e704768ea5b2fd10c9e7548806eed81b9871e9e791b140aedf0b00cf4a6fe9642efee21b083fd983f0d98d6f6e74bc9d3a7c0181
-
Filesize
342B
MD53999aa54834c20a948c343148dfbaa18
SHA192517032c232ace4753e262caccdc1a09a224680
SHA2562a38c1930874c22cbe574b48b218c71413852df139eafbc8698bc15b3c48ea81
SHA5124f58f05944aa4d7a0cbb812278e60d9f8369a7e0f87c69bd07254f0f2a0edf09af69ef5515b24e310fa1ec2706d01d7216dfa9e9e93e1abcee4964b9ba2379f9
-
Filesize
342B
MD5f1610079e3329b4a4c6de61e7422e9f7
SHA19fed4bea5b45eada297b2e820f990203007e92fe
SHA256998b0af112336ec5b0ad7fe9d897235f6e83df1786f758c525ae86bce298f180
SHA51265e3dafd7b0e041901eff586afc76c94d53cd51872c36d26ab5caac2cbbe20ce6de266b98e934181bb4c47f00542cead3ca2777059739dc44b989d26d8bb4b0e
-
Filesize
342B
MD5e42a5f23d3914f1614b80896553f097d
SHA14e270c4a420d18e2a34b34454da4e5a5dd662718
SHA256b63178b1c724b6575861e646a2b38fcef10558e5935df1f23a5315e9c80dd17c
SHA51289e030344c6e4639d7c5cddf99b1cd3f3793e4f8338d7c8585d820ccc2dd83f0360ea3c54da8cbbb43e8c0f0904f049b45ef590680b61276dbf86c5cc47eef61
-
Filesize
240B
MD53642dd309d07315378b1981591132e4e
SHA1e72ff02eb4ddd5b5ee61f9b32ffa6d817015ba82
SHA2567e8d878e18579fd15790afb6030fcb3391d9d9f11ee9cbc457d6428dd0970f7b
SHA5120920125ba3aa25cd032a62aa072df0a70527a380cc7dd6c0b6eab36fd8d70d20ade27d3a987a2cd19607b0ce0d36365dba11bfa8d2fb53c17629569726fb0576
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
240B
MD5425c14c71df1cf249bfbbf6e7abaaadb
SHA15e7f2c782a483e1ab2ee6095ef49d38a7586a831
SHA25646760ed85ac4890110600b97926d6e6fa67ef0f521bbb37a4f49692de7b30adf
SHA5122e20972f7a6bd72c0c069ff6f654b519444cc71d487a72b735978ab49dda3db49c9ee78199e61b4584789340ea1d2fc7eb33f96876b159ca7ee9f31c689746df
-
Filesize
240B
MD52cbebec80dc667932feed7ed12daab7c
SHA1dbe769f6934844f602a6ddd92edac43a05591b87
SHA256c5cb8efe28b0326c5002f906ed861e58208e8e8ca0d3c35ff63620345dbc1006
SHA512cbe87ba815f750edd19b026774e98790dd1c0b63112d7e86ae0caef982c48dd0b4f64446082e1411d18c1c87853a188450dee0ad2b2944817542b2f1233f710b
-
Filesize
240B
MD55501dd9f06d3a9ca10c0d81974bf4f72
SHA19c2213277e5363709c156b6fb6964c519d7f4fff
SHA2562100fb76554519cfe7c2a58070c75db52fa6a7aa18a408acd4ce85bfaea3e0b3
SHA5123362474ea1ef4a1d6d26a759a5f3da87e8b4c1090771cc485cbf0fc46f735d5a6e2085227a4dc28da7eedf5177130b556d14cc4f0083242bcb2373f8e9c285cd
-
Filesize
240B
MD57c3b1e008f980695a3b77e40c3378d07
SHA1892afebd49c274c38f9f00fd3e2e9e5420b3b4e1
SHA256c84ef2b81fedf370fd95e27f9abf7a36fb972f42e0e739e5b16c4bcd1db4977f
SHA5123d6c3f20b7494461987c7d3abe1fb6a324e6ce32479860cc6e6d46613965db817981e3a8fb052a654f28370d0a32cfc5930c854f5b288bbf284e281acc7ee1ff
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
240B
MD5592dd66c211031afde776be6f1ab3938
SHA1b42a4230114e3b61db9eaaf1f08f4eab5135860e
SHA256d04041a2141dbd2fd0b520bb960e4146b44b6bf41fef9c1fa4d53e759af94e12
SHA512a7de090d70eee6b0b1abca7019d683af2ae989bcd7cffd2f471f37b6cb831c1fd57f1b15e2344322c7723e040ed5923381433e33e6237321645884fe55c30527
-
Filesize
240B
MD53ff2d51132210843ee11df4bc51793c1
SHA14601d5e47f25478b8ca332fda79fae2023e9dd61
SHA2569a8a70bb503be540aed5fda2ea4d4bb78734137fa739ea91d35f3f425b3bd8f1
SHA5122bd230b0faf737fb391e236c58f567a80cf75ae992c8491b6a15bdd9aaf05e7c472c7a44825645ce4e96b5efb4ef39aefe2573eeae6a489591c34b886fd68b58
-
Filesize
240B
MD5f4713ed94ca6f5e000e4b33c03a06f3f
SHA15c99888ea4f1aa8d92290c8cf9a856fd854e61cf
SHA2568c2eaecbcef5ed32cd8afe6f1564e8781750b7eeecc78f69aca2c1aada1f69db
SHA51234c3a74fb9e70263170dfeb1285a28f6fadd3212eb7fcc1ab8bd6c23c0c709c47a806082c3a9f8e1613ba143579ce99d7c803c30fcf132d0a0f5316a1e30fc08
-
Filesize
240B
MD52e2445723f2722535d81adf1b803b94c
SHA18fbf92509aa8e9e0e76edc45d79a06a8072b9ac1
SHA256c781c95c37f223563d65edda85f88bf3f85d34cf9bc7d7624260911e02d100ba
SHA5122bdb85ea8ee3882127c1b5b04b7ad96e3427770c2c11d76b6557011315512beefdebca01cc2e4b798eaba07d97146b08dd6c844c4dc8d7064530915b9b3547d2
-
Filesize
240B
MD555cdb1050b92c1f3475b7609f4d00b81
SHA18e2a9d56d42d9c41cea4d72600768b86a6ad706c
SHA256f1874f3afc6a31b91deefd0aaf13e4be347c24ac067ae868c864ad4829058ed7
SHA512eab268dad158c86f2e1ec2c9c1218a61fc6390b5b3d0d1c6409125b47d6f011208d4f340005959128bcbef5185dbda527d1fae3f6b7861ddcb3d4ba53ef92835
-
Filesize
7KB
MD5e58677a9fb96dd2afcca9b6b83bb97d9
SHA1c58d9b8dcf9418042797be832b3dd6374e4848b4
SHA256fc94f713ef830c2572c75401e6d6e0417ed6fada5da58a98b3d389e2662ae58b
SHA512a886d252815ef60d410eecee3fb6d625de3ac57261fef85e8d8965a87182aca102d1804976e74eb41835fe91c576aede654b5170c4f25346dc9d2b893cfdaadb
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
1.1MB