Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/12/2024, 10:21
General
-
Target
JaffaCakes118_c530651992861ff9373019aee43d4e9d94cb8c5d628cdd5add5cb63051e4f480.exe
-
Size
1.3MB
-
MD5
e1f40c28bc5266fdf08cdc39d1e3bb58
-
SHA1
9af79ee9c0871bf7db82099ffac4ac82a01b7e96
-
SHA256
c530651992861ff9373019aee43d4e9d94cb8c5d628cdd5add5cb63051e4f480
-
SHA512
bd4972131aa8094b7ea1b55bde4f51568045fc66ff2e13e4c54a6526624a6032ff38b8e2b59846c14de0b5dd4ed3464f0c238010cae3b2a70eda3de4a17eb81d
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 9 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c530651992861ff9373019aee43d4e9d94cb8c5d628cdd5add5cb63051e4f480.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c530651992861ff9373019aee43d4e9d94cb8c5d628cdd5add5cb63051e4f480.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\ja-JP\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8okcwczJrd.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Program Files (x86)\Uninstall Information\services.exe"C:\Program Files (x86)\Uninstall Information\services.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Program Files (x86)\Uninstall Information\services.exe"C:\Program Files (x86)\Uninstall Information\services.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"9⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Program Files (x86)\Uninstall Information\services.exe"C:\Program Files (x86)\Uninstall Information\services.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"11⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Program Files (x86)\Uninstall Information\services.exe"C:\Program Files (x86)\Uninstall Information\services.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"13⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\Program Files (x86)\Uninstall Information\services.exe"C:\Program Files (x86)\Uninstall Information\services.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat"15⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\Program Files (x86)\Uninstall Information\services.exe"C:\Program Files (x86)\Uninstall Information\services.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"17⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\Program Files (x86)\Uninstall Information\services.exe"C:\Program Files (x86)\Uninstall Information\services.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\Program Files (x86)\Uninstall Information\services.exe"C:\Program Files (x86)\Uninstall Information\services.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\Program Files (x86)\Uninstall Information\services.exe"C:\Program Files (x86)\Uninstall Information\services.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\Program Files (x86)\Uninstall Information\services.exe"C:\Program Files (x86)\Uninstall Information\services.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\ja-JP\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\System\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\System\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD509cc68e9afb418ec6f335bdf5468df55
SHA1fec0288fc0f262ec618d62a1508cf726fe37efd1
SHA256e2af9e8d6fc670d080b40df756345e4320d3a1367663ee555997c74bbb58eff4
SHA5128c089a5adaa737d1b85e6279db0fb0945cc19e6d802d84086673c1eaba69085c4f615002c1e4e741fff1fb829b69334095e0db6f0440c1b03f21e027e30fb6f4
-
Filesize
342B
MD524d81123d1b533f70e2b64d3fc9e3013
SHA1d432feeeb36c2a8eed2bfadf0b6e7eb4ab4ea4a2
SHA256922f7c9cf8e77a729ef3a2ace4f493e2c3716b7453cc8776e1839afc54634925
SHA512e32a66a1735d261020d1facc0ca02ce59b475f47591cf32eca1005e5a3952fbf5983c8042bac3198f51d46b6074d3c174f624680c25cded50ccfdaeda6f56c02
-
Filesize
342B
MD5219dc1e4177ada389c543798fb476099
SHA1c0fbf476daacdc29eab78e30b05f75dded9dc01e
SHA2561c3c933575e8cba25cd9b89f651b559bcfda5e248d31a7ce2f6f9770fcccc133
SHA512508e041686194a9a5a778d84956edb2dbefe7fd6cee53ca6c493f453fdcde6ce0f3200c30fe4e10645ed69d1730d61105012c8bafc3eb49fe4286dfa6a11130d
-
Filesize
342B
MD52c6a11a8c58d23bb9273b5dce366d976
SHA19106decc454f88afb8d16886f4d054b0b6ee5a3c
SHA256228603217bde0103ad8d36f3bce8cd39c031eba7a7d28713eb100e2ad74c5b5c
SHA51239d9f315744623d292ab057030c8d1232a38bfc1831f9f4ab57bf34f7b46d1b09479baeee66b626056a9507c662c6855c53a5a49d580805bd0a6e909e69398ef
-
Filesize
342B
MD5e5d7320fea610db2b3200ce25cae4a08
SHA1727a5c87b0d864de3769e255c662881fa749f43e
SHA2568e36acf999c5dcce4bfe7cb51cd0cc8be5ae57d4616505e4e2571be5ce4ff892
SHA51249c2f10c3296f0a5e117d90e6bbb14f5f455f881a78d13d5823012d501709e8dd0d522f5e723ef8bd071da19bb8f879fa39642aaf7fe539e91ab4222ce9e06e1
-
Filesize
342B
MD57d5915944e240118bfe1fc17e53c54a6
SHA10d8060e63c5a2f0afdae1cbcf5e1bcc06bd38d06
SHA256d90f6d2fd54fae3066ab9104423d181e61459154b28c37889c19c3201911abc6
SHA512bb54e8cab4405b70709ce301aaacd13f6d8b706425ce8de3a285d29c009efbc621b2baceabc9dadaa4b5eec41b15ff527d2d24b8b91191b0d347f9d6458b2074
-
Filesize
342B
MD5ef3d56b72f64a66c8078bddbb5244f86
SHA142a9a3441839bbbd2df76862ca95117b7a352c12
SHA25636cb4d6f6925cfe3206faafc395e3a20cc12fbb7e59db538cc5bef67cbfd0f72
SHA512c100eb79c79dec45ad407fee1f9ecd3fd9ff2939e65f1aa389e2d6973249fe3377ce15348c51d4789667cc80c99fddafae7f9eea1f27da909c2aff2eb8fda872
-
Filesize
342B
MD5343d5f58863279b9844b5d23235abf3c
SHA160bcebb32c4abf93af39af0eff55270590a09fc6
SHA2565f056a5739d1e4f989d6064156822251ab3254f8ab4fc187dfd1f69919edfc01
SHA5122c021263ebd8d1a6a769c0e03703661314adfee07bf893c64804aae44f02e6598bf00f930572b8579212d232d5cbacb928eece7f1fe39e5236922031b326c468
-
Filesize
342B
MD58b1a15077193be2f4704499af364e958
SHA1f26d2796e3e8073144e2a09c058fd9f937d13829
SHA2564e4c7412cb851035323645d7fc1c57bda16f4cefaf1951bd97a2c3fae6ae476e
SHA512b4345d958a714df5f52d039ea53163231b248bc0c996151695eaf9f56aa5dc4269304b36227fe2c5544351c6eab49e4a74a625c385326e83fe9ba2960e621ff0
-
Filesize
222B
MD504a680421bbdfc3ead38768e0cd144c3
SHA175e641ba4c4574c97964ca6f1747f3363a2fbd7b
SHA2563dab23f755a329c23c70fd4263cbff45b2d129745587214ec59ce649d391fc1d
SHA5121904505406a3ca8d6246508503fb9d96016a493b6243a4bc7a992232bea4dfab1795a9e666c82c7ea483b9e8b7808548eb832ca026eaa18aa8e7f31f7c9eef01
-
Filesize
222B
MD5b5d5cc43284dbf4d6a2a496e3ca43760
SHA146f1692882e550c7f0051706b9fc687aa2484b51
SHA256a89e2252a451ea78e631dc5228603c8b22a68e761f8cefc37b5895679ddafeeb
SHA512322f61c38620222e9d1221642614b29640f395fe4fe2ff08c796300db7301118eef64a58bafc6efe2609f31db66f2c5eea246cb2027ba8ca9e53e689a1335d2b
-
Filesize
222B
MD5184bd67ea5f95d3752060904011745cd
SHA1e916612d11b2711562aff3f3b6a0c353ee16ad23
SHA256311a996dd104f46b3e0a4096704217e6ecf30258e850f5fc4a26be1a0eb01a45
SHA512883fc1480c52774dabb1bf5716185d03981b0a130d355ba46452fec509a730a729e6ffbe06ac72700ed81dc3ab493920a60348d5f693b25ae5e9fb3893c127de
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
222B
MD5967ac50015a25692155c6980c13adc62
SHA1aab7a56e2a0ece83907f30f6826a97ee603ff25d
SHA256a0b48cbcbf90c06f12ed4e2a535d2977b3f7e473e25f696e6353c522a93f75ed
SHA512aab87fe6b6a038f27369047019e6937611ce75fc79ed2c45ebdd5d3dfad32782b85ee5d33b9042a80c111fcc14b2b2af17e9be57aba34c511221616b66c7dc59
-
Filesize
222B
MD5ea4a64da65fdda7fe7829e25ea71977b
SHA18e47343889720ed86485702978898ae4029cab42
SHA256f6b95822b8ba29db1d41b16c9388a9f6c83750b06acb3ec588c0b2ea2538cec6
SHA512f8d8a5aae51769f51ba6f9f9844c2d7771a5dd16a7affab9c54e5e06aba5b509675c72ef79d927313fa59be758d48ec3aa39ac554fc57832bc62635b341f569b
-
Filesize
222B
MD5cfd44bf86b25c22ddeec81deeee1c92d
SHA1f8e2ad86a7c81a7f3808cf00671fb7a6455e299c
SHA256fac94423a919bd83bbadea965c6687f1285d9ce768f4d6f6bb8fed66e38cdaa3
SHA5126880ac5210cede8513afb1b49c0917d025f73f44b79f41d80718b8e78475b63898acaa60d8a30970de2b79d65becad6862218c42cfd4c42cef07249decdc3b2a
-
Filesize
222B
MD59e619f62f3dba3cffd91186253d5b0ee
SHA1f829f234564f1e85799f8698ea1294c30225606c
SHA25675fdd7ae07ab91faf0ec7f8d19726374ed1dc3502543e0237699a0fe99028655
SHA512880942d35684ebfa50e254891c49e6dd586492d75b37af552b6767dd035b0b1e7e514dbc63accf924c71c8f5f0790d024f5c79a827a2807e1899f40bc90f9fae
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
222B
MD593165150c5e1fba2c49bdcc8d34a0899
SHA1d29c5010373cbf17c3144472bbf6e36a6e18dda5
SHA2566d4a531cfb6b5dbd68378f70564170fef90b024220d672d3977e0d3a778dff88
SHA512fd51973aff4837c2894e47f40b74a908d9a69f18593257ea4f653012449a5e3e81fb58a33935b3dad97987407aa6e633b6681063ebc8fb944fdb55057b891852
-
Filesize
222B
MD5354bc1e653f2f9cb8abfc812149ecc26
SHA18b9f2122111f23fae98331550bfff72edb65e989
SHA25642058ab2c934e549d4d7f6c6d070761bfecd5dad32ac0608259793fa6fcad594
SHA5129c3653d336a972c87caa5ef35aa8f4f2541b5ac0d77f5dcba70df50ce44be8faac8af08f9d9f4ff17ebdff8e26b1a86953be6d35c4a7b9cf2d29915cc37d51d4
-
Filesize
222B
MD5324e4b03dc5767efd0835477aba11350
SHA1f91da70db68f32f99c6dcfb6a4e6cd456eb63be9
SHA2564b22d648e89dc3fa3b287e386eb16c882fed6b95c5582659c22b42d0d1e155ff
SHA51230416fef94578e19d94908e3069f971e58af1f24eae9659e8a56f74da6226eb8f332f09c1a06dc6471e90a906a591d3a86e08a3eddbcf864fa90f40146562ae8
-
Filesize
222B
MD566b1570aa7167defd39243b79b5a7a88
SHA1a24396531a1b08d9d184d33df363267e5f437f7b
SHA2566b78a5b038cd8a5d217ff3cd3387458e2612a81cfbd917ab2b51b1b53925add8
SHA5122eb18d4c084ddcee80d5f8e6867c8e40f1fbe71e106cc810efb6c9db07fe3d6cc041d86820def69ba7ff5d1f061919aa9620a948e51216483fdc95b053c727f4
-
Filesize
7KB
MD5d413f61e23dfff7b50f221691d6f64d6
SHA1d6dde9c75d8500d747c65d851aad3e35ac752be8
SHA25612f4ff16ca586dadd1a0ab4ce9d9e043659cfd9ae31062744212d3a230fe583d
SHA5123d4482a6168a79bc987c62ccddb0f8ff0b3c7ac570ab2fafc2417b085962d11a7fc0a3f15053422628abc7927fa4abb79533cdfa6a9013e04c294c7b4ba93ad2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB