Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-12-2024 10:49
General
-
Target
JaffaCakes118_30b68e9f2ddb960e1cf7c748ead08563a022fdb8739a576756c865d30cf5e873.exe
-
Size
1.3MB
-
MD5
4863cdeebfb31c9244ceb72bccb1a8e4
-
SHA1
e67bf6bf27afbdfdd2e6308257cc3da5ebcef644
-
SHA256
30b68e9f2ddb960e1cf7c748ead08563a022fdb8739a576756c865d30cf5e873
-
SHA512
f9d7e87b15f4d3fca33a6c28088da3e9266187be70d75c7972cafec620792cf839ae988078d81d441c4a13c5c5cf52a6f32605c54ded525bd9d014f8f43be764
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 7 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30b68e9f2ddb960e1cf7c748ead08563a022fdb8739a576756c865d30cf5e873.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30b68e9f2ddb960e1cf7c748ead08563a022fdb8739a576756c865d30cf5e873.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bEEn8NKmBo.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"7⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"9⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"11⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"13⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"15⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"17⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Media Renderer\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Media Renderer\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\addins\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Local Settings\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Downloads\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Downloads\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD58b02441d6db0c37e31408ccad3973116
SHA164501891a6e792f1f6ac67192659c41076bc3213
SHA2567b182a6df479ecdd853bc222fd5cf6b525e168a463aa0b823dad0402068e3cf6
SHA512a4bdd27fa3c3310213e98c971e4cb7f0de2d2cdf003a5a34952666c58ecc04dfa73598b435be6efaa125925c14eb3527c45947fba80e4877ec06335b95561a51
-
Filesize
342B
MD5bf897f4cdfc0034f2c7ec6fbf5102306
SHA13fe3eb596736ce92b29ca052ba5af8633dfab57a
SHA2560fa8be0a95e8c40afa2a0f7ec6c00fcb9a0fd67f5980cf7e18640e00c7e8ea98
SHA5129c12ff6ce18b511d46ce9c1331dec1519b98aa591893ba617944289cd313f17658749c9efde89bb31b435acea3884b454d2de0b22b78f0a43508c6d31229fe96
-
Filesize
342B
MD5ed086eb2976e06742cae05567a0d70f7
SHA1babe3efd913b271680a042f6befa1a52eeb79168
SHA256585da92ca4cd8d0def578e521988e5abb5b1055a78a2174ce0772e4688b7adf6
SHA51227c91acdc1dabe3cfa3c878a36f0fde08cd4b457b2423eb34423ae255c772d3742dfbd908a25a85d46c6120d524332f075b3ea74877490aa4db9c72b1630c2d8
-
Filesize
342B
MD51f8ac167601dfee3b5e31bfac62b7ba4
SHA11245209350758cafe96dfde0458e1f6b0b5f0ac4
SHA2563328b0cfbdd044ea95698bb7bd6cc6b7fb1b1de5497214a85194e5e9c9c71f60
SHA51217efa5c0138e7175bb754629501a6aa3533163e22733936cc5ffef396b9786b9624d8ce776118ce0e08907d03ad16019b2e06ae46e90f7c07ea05afb43fb1bda
-
Filesize
342B
MD593db83ab202d3d875d06791babe90e9c
SHA11f8d4f3fad7f64cff006eff0575d73ff9904c85c
SHA256348f16121f16eb822aae03257fa81cdc64a29490d6aaaf0eeb41af80157b95c9
SHA51222f04f4a69d660603efd7a1c385de33fb818ebd016f2e1dc376b582891c5cf528b73d390887983fa5b7a4ced904d7510ac604684d0dc530ce35d1c5ee82e0176
-
Filesize
342B
MD5cd9f54f47d078d6bcf4803fdc243529e
SHA1a13a98ee58f66aeff8b4df97546b1aeab11b3504
SHA256858e5f1b1700542ce3fa48b1ec0ff9918434070b5acf2e3a80aa778f77a4c811
SHA51238d022950963f843f431b63dfd9b2b7aa4fff0ca7cc8e2a531dd7553f57fd1d97a1547d63395bd42d340e4370210cf46eb1c84ea834e3ae20819df6fb2c4fa17
-
Filesize
342B
MD522b44b9b874368057d3eada05d68712e
SHA14823ea85030bcd6d32864038a8d1427eb35fd276
SHA2561b64ee7e05129c8ec4842a88dcae2f27d496bab59f4fb5d18ad408edb05f4b24
SHA51280aa44a6726b885f38f79c86ced808cd8abf3a3e17608a544cea1696c9deaa4b7195580fb976daeaff73283145fa067fff1fcaede7c64ef49b5c81975165174b
-
Filesize
342B
MD5b9ba47ee909561731679cb18c101e515
SHA13753ba4137e50a7f00e7492163af3f7cdae3006f
SHA2564226404ee87fbb3127df61fc74339dae85e8dace02c4f9fff559f297365482a8
SHA512cdf85f392d6f65cf688aeae634cd478330328c6a11fb4b1ef2f82a32aa5a9a5a1740621a9a3b44d547f949b9806e82cf03311b61deca6e52b4a33d670d919f27
-
Filesize
236B
MD51fce25ca8c1b233062f79eefe79a059e
SHA1001208eb26345c6b10325fd2b3ae36bafb4f6eac
SHA256282ee69ce336f398a37549f488479927caca3808b66736cc87ffef0b17bf9533
SHA5129b2817e41d952e9c49f3e5f800382a00ae1b7f482316e8622a70f3e53b710052f61019e646473cb58f46fad889b06f713c9879e1e52857da614a014e25debabf
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
236B
MD5454a4d46d740a7713d979942bf17a519
SHA1d764103a4931e4446cd9365ef37fa8a9aace371b
SHA2560befe6881369507cf0493e4fb39202f7b2cdc5250ed2a086bfdd277bd831df7b
SHA512cddf0aafff09cd0825b7048187e84b27e266beef88735ae5ed39b5e0b01a9534ccc85d806b8887d1fbc65fd2b4d176ded62a89910ab2e618ce957974fe331c79
-
Filesize
236B
MD51237825e11ef08625eeea006e57c8b0e
SHA128b4bdb672239726212cbd25600f9ba46d484e4d
SHA2565d904f5e61679f6a1f0cfbbecbe60aa04440a288803c5ab91b06228fb36efb0d
SHA51216405af1d1e3f9abf9a4d0216c376d29b80b3348a160eddbf48575ab39f483b58bcabfb12c0371dec910979d3f600dd2cd7e6db41c85fa88520a556b06057625
-
Filesize
236B
MD5ae5be00199f088d35d73b0d76b528316
SHA1afc23f2c721365916f1cc3acafc4748546b6087b
SHA256ad1e1a7ba44dfcc44a5cf21219fc09e4c07ebe4834d5b4ce88ae714fa27aacfe
SHA5128a944a543994d9b8f3055f79757cdb00ee2b573c5bda8ed992a0af5867927fe214f9b7dc75d05295dd17484cc7e133ada7492ec45bb16818d208298c3462cb5e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
236B
MD52960954cc03e203188a0fdd059bd52de
SHA144ed273067b647a1d4f8da4305a4d55fa2240e29
SHA256ee111732fd8a78bab6efabe4abf5ab2adadff341aeeae99c03e1358a003f5d85
SHA512a411488c32824b4ecc304394f42d26d7da1af63c46a3e8501f805e40879df84c1a89293e89c82da392ca066040ccec0810b3351728713566f2cd2b83fb162fd4
-
Filesize
236B
MD55d589bac4ede651b78c7b594a4772cf0
SHA1f3b6d37d58e8ad0927231b1f9573013cc467a759
SHA2561dd8eae51492485a8ff898fbc57b5c6adb220d50d7fe159d6135377ca8ad0e02
SHA5126070100fd92a9b3d22d9a7115d8664e957916d3763fbe364d1336b0e2c5f450b47f9a97f0fa2ead85a8d30feeda93d4ae19d6cd03401e24724704fbb35a3b702
-
Filesize
236B
MD57892c3da382222dc0bfd8e181ad5c64a
SHA1299301e0949b9826a2f4899e595aed6172f4bf81
SHA2568f247b633cecc26629f1d3409a0b8ce9af5f0481fbd808099afe5c299714ce8b
SHA51265e70a847df063358e15e81e8f26a543b689d77ae6031de3c8f079ee849c8b271dfe2191f3c4b7ec5d11a9537c909aab8eb82bcb1ad90c1ef1a6518e415dcb4f
-
Filesize
236B
MD561bdb5a453be490f1dcf124b76a29758
SHA151fd8c47df9cfbde81dde12db7c0ebe38ca57636
SHA256b75e1f147b6a1bd70e2e3ab9485d90da38c5ab20353910baf00d3f1dc607e7ad
SHA5123a9caf4fef0b1d2383a67728549df5dbd1b70d5a888719362fe3d4245e9745299950dae95b62923e5004f2e5d7283002909412a4230b92381a6d21f6159111e2
-
Filesize
236B
MD56b7e1f3a66a668967926784b9892ffa2
SHA19f90d85e00be5b9359d44bc03c0be07a4209cb1f
SHA256658fc1aac8d3ac61d9ef85e8e983ec633926ae9c480b381196cbe6d1ed3f5653
SHA512a89bc3f23b768d8f24da0fd0a6cb1a6fddf84ebacdfd1972796d3e799883b9da5c5a1904578112f27de4a5a35980a6b2b2041ac76aa88548bc57140d79597520
-
Filesize
236B
MD52b66095ef63df40eaffa560841743c63
SHA1b63181bac5da237657a1bfa29ec4d0ab33fdf83d
SHA256d59ad91b88c2daecc1e6f735c0e2a4442b454e0e97ac2478c7840475462f51c8
SHA512a96032d91d6433c597baac008d39e1d53c9545e6cc70da042947e5b450a2fe93b76cb4b5e9cc049e7132ffe20993e545aa7b98f90d71eb0f03f8e2dbb4bb197d
-
Filesize
7KB
MD5d4da39e064eb1b7f94a2bf9f08dc82b5
SHA1d642567f7f002f647ad626a99bc167eaf71958e9
SHA2560b3cc225fe1a2a86ae4cfc61f3f3180464e8dfeb8db1ad9ce85380409f5660de
SHA5124c3d64e061eb3e12bc487c7db2c1536d7f99ae94392f0a69b53ac4c0b0786e948936053d9550839d9198d1700dd338453fed835ee8c8333ce11a4ad200c3cb55
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
1.1MB