Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-12-2024 11:25
General
-
Target
JaffaCakes118_6bbccf17aa51ce9f5a6d0118509cf6143ef98e44f42e2c3c5fc5076c2caa7225.exe
-
Size
1.3MB
-
MD5
01b6f94735723cdc7fb235d4014c467f
-
SHA1
0b1e73e0a71b13fe8e124bfca00ca0575c0e19e7
-
SHA256
6bbccf17aa51ce9f5a6d0118509cf6143ef98e44f42e2c3c5fc5076c2caa7225
-
SHA512
9bff84c869f84abcaf6471a65a07017347d69ffcbdc74fa873a9b14b82d5bd5aead77845e7f5e335cd10ff028edb1f6ff2077a8cb268a196cc056c8da67b830e
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 5 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6bbccf17aa51ce9f5a6d0118509cf6143ef98e44f42e2c3c5fc5076c2caa7225.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6bbccf17aa51ce9f5a6d0118509cf6143ef98e44f42e2c3c5fc5076c2caa7225.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Windows\fr-FR\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\es-ES\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Windows Live\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OS3CX563UF.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\it-IT\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\Windows\fr-FR\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Help\Windows\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\Help\Windows\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\system\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\system\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\system\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\es-ES\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Favorites\Windows Live\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Windows Live\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Favorites\Windows Live\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5f94cfb810e15380060ad5e04a95fed59
SHA11080718be40baa5bace93e9acaf01242ba6dc8e1
SHA256920e59b81ce16c0831aa3ab569508711c2048079e972ba7e40f5a0b743c7460a
SHA51246cdb55d6cdad252effe18c34c2b9572908b9d4f8c527324ba6a1b2741efb1eef6406428835117afc2fdf80b26139ad863b465c1277d54c140a25cd5c74d102a
-
Filesize
342B
MD519a42a41c718a238ed592a61ce3d3273
SHA1c9e41dc753bffe59fb2e9396b622b13fa444019b
SHA256fd5779cacf5bac6981c5aeb6cf2fffc462ad7f9ac287fdca44a48047167c5868
SHA512c1af0d2b35bcf74bdb3f3009f241c256d43abc3acf9cb758196fc0ea8cec6b3a8189b1f23fef7859161b8f04498b1091d517bca1c0306774469c41bc898bc0dc
-
Filesize
342B
MD599dd27c8b11e27d2a726be15c5f83052
SHA13b7113a0c5e72f35bf9c382c1791f26524d52503
SHA2566e6efacdd3d052cd12829ee51193bfe42a515c68baeb7ee2f52127f9a9be3eb6
SHA512c56d7ba76668b8058f6a702dd96d32b4e5ce4f2206edeb7b2e04f440af10535f314f22614924b56f7756800bc9da5744f7281607d2f9dd8a8b3581d5aa94bc71
-
Filesize
342B
MD50dfb8264d13f22390dc8a3f9e6f65cb2
SHA14180ddd807fd2ec396fd183619d721e433f1c37d
SHA256740fbca1ca6f77472d6c9934442b18ce9bd44104c12e6258b37a33bfaf32f5c7
SHA5128a25bed22822c2685032ab10fefadd6a1be9b157a54e5001b5a97c0a0c858d98bb10d184565f7a2285afd581335ac491a0bbffdd6a240d94f43c408e4082bbb9
-
Filesize
342B
MD5110d3a8a06e3fd57e5dc73c90c2d4949
SHA1261e1c611f9ebf2f7912823b0ae3ba06544f8f56
SHA25614b5773a31d7e99c5849d01cefbdae53cb3744a0fedc09686bc066c857391a12
SHA51230b20d6b9280e84441c11c78d0914e1e89d5ca36f2912d4115c576a7072d801978299e6a3ed0b631351468da8aa63dfc759a416d5dadd5abb3168148359bbf56
-
Filesize
342B
MD5fad6b3538c156ce86ef19fe2e62b8283
SHA158bef0065252644444fc2c62b98a912918cadc92
SHA256b6159686e599c0f7071848e0faaf28be6eecc951accfbc356d5ad4ccadaf17ff
SHA512fdd2680a63e0295a7f8f7fd1214316287787ecf043d94353fa9b329c47252334af184366d875331c52b0a5b2399209e47596f2430e4733ef6a46edc14c208e5f
-
Filesize
342B
MD5d57bc56a961c2f6781d63cfaf768d9a0
SHA12b8375603e2cec3bd1d4453092083b1290ea7bd5
SHA256017c952d59c3fa00c769b120b325b2c2f5c4be9a439a90c34cb5529cc02bb030
SHA512c6314032ab5946521618a6225389b283f73c8ed9a83a266b3281aafa0e85c49a4f8f82f1acfc23b0e650ed9db507769f3bf8b753c6b4886c670c8f0f0a9478e5
-
Filesize
342B
MD5c5493f58d5090854a0e751aa0521becf
SHA1fac83cf7c78df6568d4b669c5eef2b18f74ac598
SHA256789fed3fb04274fe5fa2475353449220fb1e9ec5003b5f7c0dd27a0e1f685565
SHA5129d308c17b0f57005eb6ec0f9d6eaffdf813fccf5ae78b785c9569e5adf38793e57ce2f627333607871621f66a599717ac7a42199bfb0604b820bc780da543231
-
Filesize
252B
MD51a73e795f27dc5492f2bbcc8988e0d9c
SHA1e9985874ad4e315367a7cbb5f394383efd66d654
SHA25663b7d7e1ed2ca81786b8aab7b3f6d876be2379254ce42de6d583b91d68c43ac3
SHA512ae105937da45d7c9cc37716e40ecc4c8e8a1a0a5a940d45750221f3b85d7b85151c8790f1ff171442f4ca736112e16434cb5cc3356d6cb64b4a2f58e2f4992d1
-
Filesize
252B
MD57e4bd87a30fcd912359c6cbe6e698ea4
SHA1b12356e653d9b9b4a9b64cf349ad4a826199b4be
SHA2561b560c009f70b3958eda9ef73b1ae63d7c7bd865ade8d5433f105d3422ee4997
SHA5124ea721e04969a10858546b30c19b825e52f0a077cb8c6f5ced5fb7f5edbcfd131e6851cc01cc9062a72acc4aa805e03bef7ab8121401a8e165e3df497848b14a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
252B
MD54666bea97a12f4411c12f37d1be67eae
SHA115d5fc53f5c4ff9672428e33ae1e0dae4e08511b
SHA25610c95a8292a212316cbc9b587d9f5c47156fb892fa8d2364c3aae7313a15cafd
SHA51267560343ea8b3f369d2332f6de397e4db5964855eda08bdf640aff352ec43c4d4f847eefb0a69775318e16e74b2754211dce227ae60f6a56a4ed683eb19ebe9e
-
Filesize
252B
MD52f7936797269770cbbc8b915d03c9aea
SHA1d7f1f473f9f16211d379c15b5d183d6f886da02d
SHA2567c7c951cfc7b3b9554429e6d4897959b5f9436f71a4dc7c96698242ac6d4fa75
SHA512e2f6ea89fea66c771b25f0eb9c7be6a175b771f73add67189b3adbb2afee950ad5eebd88104fad89fe5df76424ed020a72c6bdd0ee30dda45b99ee99132fd80a
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
252B
MD58104639095fea5e1ab6541cd3d462257
SHA16bf4ed4d505447bad23037d254ded9b0d97fbfaf
SHA2563b6a9f393ebaac6c3598ba27e2ff4a3eac5f59e68fd36f14360c5b33cb6cba7c
SHA512ee47bb931afecd98c36a55eb209b46464c2565592135604b7b0504a8f695384ad921c1db53f2cf8add5fdfc0dcb486f1f36bcba8df8569870fdf73b8b7e8801e
-
Filesize
252B
MD5cad7d520b4b20905bdef7eb99e2b7f56
SHA1403087d1ddce02b584d148e520e865abd87e3454
SHA25670a76e189935e900e48f38bb73ff511bec27608935685ae196db42fa6f2dc370
SHA512c0526b87f44ada76a1baa25865f5ea4d7b89ffe31f4110445cfdde6c72368d6b3e9a1495e0fc5593248b269bcd40fdf7dba71355bdbbdc99b280d581816e9a56
-
Filesize
252B
MD585e5173037fab7891f2478bf9cbfacd5
SHA11372a092ce6a080b51f0b2adfef16085e1efd56f
SHA256eb25565f51f3e6087a25d9aae177510ee6c488059908a5058e1d04018671ee11
SHA51279ad4800a245daa69f08ac95ef913bcb86b493ab2c5ae3314d2b8d5bf5768a7a7801bb220f1b5ccc25970109dcf4fa429c2730c45851bd37f639c7942edf1a8c
-
Filesize
252B
MD5a30c4524d5db6432c30e68d3e4497ff6
SHA1771abc6927fde78500268b4030ac48033671ffe1
SHA256345bc5aa03670a9f7015f66926cd9ba856b6cfbdd3f38fe822c24f5f13a34d3c
SHA512de8e8aba835c3683f356160fd999f0f8229d02b1225ab880a6d91216f82abaaca75a16500ad799d7870cc02f41a0240f66e38e4ac62cbb252bacb5eac5a4a71e
-
Filesize
252B
MD52d161a5fdcc51748ef7451f4521c8350
SHA176e66f2d5c6230da8f152c0cc69414605ad93e60
SHA2562be5df756e535ec4eb0e3c7ce8b49f687f85853453ab8af124e4280c56dc12ba
SHA512c6b05d07e537df89988a99f187292878e3a05d00d4192eabbd0e6546ed4f1ac135ddab566a58f7fa718f3f602f33ad367e12527965d20d3f147c3b9458197ce5
-
Filesize
7KB
MD52fb0fd23c7e7e9120bf676b72f5ce787
SHA1e7fdad14a14f06e4d055d0cb4663084f69347833
SHA2568ac93b848eae3221bf2b48ee632e6ee5d3607f40d5ece3d0dafec3b35a8b9915
SHA5122304641ff9ed698dc232b5bf66412ba011c89e5dcf22ba2c629684214633641149a12753a3e45c542593872f91bf50d75a67795541e118f666bfce3b5201620a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
72KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB