Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
22-12-2024 09:12
General
-
Target
JaffaCakes118_f00adb90778b2f88c4e615a7024bc64c8039437f51e00027fec532d1f61680e4.exe
-
Size
1.3MB
-
MD5
3ade70d0bcbe87ce8e66cb6417f9f922
-
SHA1
8e24a3bdfb5a06ea841391b1da4e71769048c2b0
-
SHA256
f00adb90778b2f88c4e615a7024bc64c8039437f51e00027fec532d1f61680e4
-
SHA512
15663a11217472c6c2c488d57bf17608408794e3f394fefe12b789a2c0f76061cb57f4514b1516638c79fd87bc954201501564843ee23450d16d18f129640eef
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 13 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f00adb90778b2f88c4e615a7024bc64c8039437f51e00027fec532d1f61680e4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f00adb90778b2f88c4e615a7024bc64c8039437f51e00027fec532d1f61680e4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\de-DE\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nst6gikYeE.bat"5⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Users\Public\Desktop\winlogon.exe"C:\Users\Public\Desktop\winlogon.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"7⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Users\Public\Desktop\winlogon.exe"C:\Users\Public\Desktop\winlogon.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"9⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Users\Public\Desktop\winlogon.exe"C:\Users\Public\Desktop\winlogon.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"11⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Users\Public\Desktop\winlogon.exe"C:\Users\Public\Desktop\winlogon.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"13⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\Users\Public\Desktop\winlogon.exe"C:\Users\Public\Desktop\winlogon.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat"15⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\Users\Public\Desktop\winlogon.exe"C:\Users\Public\Desktop\winlogon.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"17⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\Users\Public\Desktop\winlogon.exe"C:\Users\Public\Desktop\winlogon.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\Users\Public\Desktop\winlogon.exe"C:\Users\Public\Desktop\winlogon.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\Users\Public\Desktop\winlogon.exe"C:\Users\Public\Desktop\winlogon.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\Users\Public\Desktop\winlogon.exe"C:\Users\Public\Desktop\winlogon.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\msQYHxuKnC.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
C:\Users\Public\Desktop\winlogon.exe"C:\Users\Public\Desktop\winlogon.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\de-DE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5f7b51ec29f1777c4e3af3d095f7b958e
SHA1a035cdb2a8aa4805485dc90de332050ad363f7f4
SHA256d3976f11bfe652d5ba3495531fbb12e7a869d479217c942fbab24c8d31ccba78
SHA512ce95aff114b53cef30041a87c8fe488c9f73abc8f000cbe16da3b9e002f076329bb7df06cc1ee18570834a88796078ea2e333afb8a7cda394e4d0747b5a09f87
-
Filesize
342B
MD58a321182a1b77210ce00702910c0f2b2
SHA1257f1312c39f936b4407e31244f5aac3ed69ce96
SHA256fe649cf96bb55da56d7a9608c4aaff5a3a31e2a90d844bb8acdfafb7057fb0be
SHA5120e5d0623324eebe621e7dcdea6e04cb3668a45cb215dc5acfaf6aba88b2d0834c9093b014077b410f6bbca1163dd7b57ffda3288eb6c7c6a6549e2ddbd589fab
-
Filesize
342B
MD57b710f93ec9560614772e6c3acc8fe48
SHA184c3302700252e2ade6605d853a7e49a7103dc37
SHA256054c636cebf13aaabc1a0f7c824411c5b4adaea93b7c22df31162bc5b9dc1cc1
SHA512a59ffba460ce274b83d9bd64a01670eb07a0993c0b9db8dbfaa897df870b5ccd66995c2129064c5e76a5ec12868fe5fb944245282ea986a931bbc89bd62ac40a
-
Filesize
342B
MD5cad5fedad2bde846cec3f53a588ce1ca
SHA1b345324b7e6d65fd8ffee36a4bcaa207fbf609c4
SHA256643ad28cc0baf0af9b764e67bac0f99bba38f9ba0cd928d6d4ef5fc396c49f1d
SHA512f293d94b97ad1c3ffc4191a7ffc11ef7793ff0b804661254a40feb528a918147692cb30fe1fdf547c2d4e6835be543525d5e305b72132f814fa10f2bbefef7ee
-
Filesize
342B
MD5e0f735015d98ccf96fac3b664dc0ed2e
SHA148f936a4922757cc1f3a97561997938036e1fda5
SHA256197ae7f1aa824d6cb368342109aa06d95b5e015c70865c9b1e00d6d2a5d9900c
SHA5122de7dd77b7b304cc84bf87c386ed7cd23aa963da0588bf9d40cf9bbb39df7c54ad56e0c4bd4e0c4f35011b7b64da3527311101bdf912a0a21be1b9fe412f278a
-
Filesize
342B
MD5006142be3f3789e29266bfdc6fc04874
SHA1e8c1a036cfd980c2458b3bdbd6167ff0a57559ea
SHA256ed1affbd1d4932dde18d86f6db5fd2c25f38c690d9610589b8ff90d82536512d
SHA512d024cc161012cbfef5e8909bb1d5cf51bd849791258f5445ff1a68cda16f534a19b59acab5cd45a8a95ba1e670640cc8cadd8b3ebc01aed3a04c2a6b0d6ae027
-
Filesize
342B
MD54565a2ae7dcb0c916deb01aaf167d170
SHA1a9569d3d79c0a4e46d0d037f70b89d1ae498428b
SHA2565091b170e3933f7c6dfa93c1a48210a3a7109b444dea250b8dc36d06bfca0415
SHA51245b77ab906fc3522d203e2d6346719d24f418d3a15c9c0cc8dff8bda5e8353311703449292ed653a698f79cf3bdb160c6ffcc4d30574c82ad64aa03fe4458e78
-
Filesize
342B
MD5a89fb441c07d12f0a96b4227ccb7ab0a
SHA19cd12de7d6ca743ede00e825710c0e94d26d81c4
SHA25631395355d206cb2401930744de86d2c99a0a0b30d3ba14719b51e2065890d353
SHA5128b666cb7212006a79cb1240789acce7c372f3e5682e83932a4f0c3aa177829101806f0a65cd88b3fbe0c6c0b83b69446884ddcdacd6a2eb5119d0d2f70be3330
-
Filesize
342B
MD591169dd5d5de0beda4c2c668f9c3e4cb
SHA11cac445932f28c8be5b026f40252df92f149c46e
SHA256002503a102099698794c8e2c6470a112af853158bedf3adae6b5c48d54ad20a3
SHA51278d5dd0615c1079c65b6b252170b78aa6ba317a12de6b34b24cf98dc1d6d31954771ef34ce5fecb72b97dcc872f478945b4435bbbc71d7a214e503e057d19ac1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
201B
MD5261103b5dfeb4cc285d6b1432416e248
SHA1e67ff459bfbee09ba1e4138ce3bec4170126929a
SHA256802ceea60df83f667dbabc59d9536ca8e294103425e495c91397247a5d65f32e
SHA51296a8ffd061218f5558e17e8e1a2c48e518adb7bea9e41f4872ae47c9b62db9cc3948bca26f75efb81626d9a3e843273599e85777d2f6b482ed56aa065c152844
-
Filesize
201B
MD5c149eefebb955ff0b6ff75df646ee0dd
SHA169aee965600d38f05490c4df892af4ab132640e6
SHA25650f21f9852b8da157bd1a7ebcf30fc09d4159fcafbfa79de057eb7d55a21a346
SHA5122aff4360045f3aad1027079746e8f83e2140917d21364205235cc0d235dd4956d810afe1bcc089d6e0da16bd1d698c2d3471282e21515f261f37f2ab57d0e239
-
Filesize
201B
MD5fe44b64354e68c6bb7de730a6e40a938
SHA1305322d67e6915907a3d2aafffc6742882ea7cd5
SHA2565eb57ea06f7fa3955322928a2e7ce5cbd3418845cc97aac66c39c2ebf5cb6b45
SHA51279d6a43bee84142e757e55d1d88582a4e05ef162d8b817c942b210577abef69594a9d220bf6ffa9125f9b928f888b19e902987fab7d76c1f3ae76335551dbc38
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
201B
MD5bb6db06948773ae19903d25f2d381b87
SHA1c1a626473815623819c052c2635b016607ddfb99
SHA256c24248ff9ebccb16d7cd474483c120f976809ce87042c3f93e59f9195c4c0983
SHA5129ea606761599cf667f6745185b5610534c7c82da30c253db263b42cee2bb70aaa2c04b41fd3b3d802f3c154b9e9e60a1574eafdb345eead83ff055125f054376
-
Filesize
201B
MD581675a3ca6b7fd700de5c9f6c5941785
SHA195f34e6c0106890185d5cfc5d6c6178d30004e0c
SHA2565643b3d113178214f1b9d23e7b672cd1644808fcc7f359d95765fbdbab3f4fd9
SHA512277f6364abe4a8dfd565e70f107128dbd4d32af2d7b0aeb273d847e418cc4b34e225ed20576d488211b2f8490df4e682c478c58adaec5522b56d11f4572ef1b1
-
Filesize
201B
MD575ba1e67e21c051771721c14df5dabcc
SHA19ec190166d00aec1e0c8342219188cd078b46338
SHA2566738b6a6091e007591a37f8b520d4aa99d645a99d45c8e855b3c094dc8411bf5
SHA512ffcdbc3e59fcb3102c097db8ed61af9500fcc5e020cfb79ad59c82863ed9a8386117772a5752c2bd8cbeca28c609d190ee8e497c6902de565d3b808b0f684ff0
-
Filesize
201B
MD5be9472c03aa2b40909309e95db859a79
SHA1675c0c7540e1a40523258294da7018e3c46b733e
SHA2563e1429ca8eddda06dc37c8e833596f865c4590e787314af20c06e9694e4328b9
SHA512eb26616eba371ec76eb69b7257fdc65beb2308398b901dcd1cfe7d1ab74c3a6d9e1782bf4a682f7c5f509f1b1a3360336894a4082632f2fb984e904424bd0a4e
-
Filesize
201B
MD5b3ae035a9883ffa36d9b61b0651095dd
SHA1eb859d0be85fc22c78a49682ee7d04f67a583b28
SHA2563d5ac097d496f1167879755bf9ca997703cb155d8bb2011dc08c109550b59c5a
SHA512a70c5648bd343c4741adcc1dc6eb7c31b716ec74ec7dc0bce2dde4d39ebbd819b9d1a511fdfe984f38933284e5d580d6bbe19ac7b8a0e248e54c535e304a9e33
-
Filesize
201B
MD516238825dba4b6132be4c3299871610a
SHA11876fa2291ec6baf3e6b460b3415452258a57bba
SHA2563d149c8924965e484bc2760702675d877eee126679efc32e812b3e6ba9000b8a
SHA51257329de0f704e4a23b09a55db97bdae1f973080915c7ea7ddf318ad57d4057f57300311cdd05541fc303207f3a8bf6d97680aeb19dd20f3d18f03f721691502b
-
Filesize
201B
MD51232f8b94174fb5b46481c170cc03675
SHA16ac7e57247c9a86815b35a4f7c4cfca73b701848
SHA256c2406d40c2360e17c756d45aacd384a86f9928e647a2d0de6bdbbd289e4abb57
SHA51225fb9735a25eaf11545c7b83f6f69516924e137cd91616817502ad7cd2268105468deb788f3fa581aa563bcb29d7b7342ba64a3c2523e9ed9be8bffc753d363e
-
Filesize
201B
MD592174319377914dd453054fb2ad5bfc2
SHA1d3d5e3ef1b78585fc35735bf2722801e9304d7dd
SHA256de42d7c5fc1d59c3c198a6d25a689a1400f160ed5b7cdb1d26c2e606aefea7b8
SHA51251b41be2b2310892538e04322ffd3f5e3ef4bb4ea112529bd0affd624e3ed19a08a01fc130218874fa4a36a2f667aa7b31d2dbe53eddb408589f4d0eedf4ed92
-
Filesize
7KB
MD540c6b0134cf69a8ada8478519730b1cb
SHA14bb514b2e216a278838468d57c70c6dc8c564a4e
SHA25684eb913cada8014f9debb4dd9e54828fc674362d1b036621468d2d28ae43e074
SHA5121074963bf6e2449645c0b51f10fb6f7a1b27dc165315f00b8ad0c335b7a1919113b77048fc33d687d1c1c2df393b6b8e6d341cebea44a1c192e7a093a5d71a64
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB