Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-12-2024 21:06
General
-
Target
JaffaCakes118_4fb66be620b0cbfae69a637d0db6a20350b0d3ba6130c90ad3cdb9271a6533c6.exe
-
Size
1.3MB
-
MD5
b2c330870e8128a21afe19f04960ae12
-
SHA1
057fddf14ab9c77a7cad4f31c4a36fec34274fb9
-
SHA256
4fb66be620b0cbfae69a637d0db6a20350b0d3ba6130c90ad3cdb9271a6533c6
-
SHA512
832bca36157c63f0cd2d0f2c515ef69a7bf7cad33b007366407331474625bf5144d0374649b036f7ae75cca626b56d656919a47fc8afa1bc8457ffc88bc92b7a
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 10 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4fb66be620b0cbfae69a637d0db6a20350b0d3ba6130c90ad3cdb9271a6533c6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4fb66be620b0cbfae69a637d0db6a20350b0d3ba6130c90ad3cdb9271a6533c6.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD57416f3126296dcd15de199ce86ab4a28
SHA17ec68bd8ec9371bd2060fe61760c5901b40a8335
SHA2569b364aa8b727d09bef5505716c3abd055e151b2288c30a8beda90b3b894eed27
SHA5124161cd21010aa5a81c1490037092dde96f86fd72fd266c505ace296ad6a15ab402696afa86195723555a35cf90eec0c60bcdda7b6b6ddeb3af876c843809a3cf
-
Filesize
342B
MD5c079769373d58e3e5c713462c32e220e
SHA1ab9250919f5b20520146154191a3e1da3cbfe686
SHA256f7338af6b936d5e8946f280649b37a824727e2e6f72ed9bdbf16479761eca7f7
SHA512bab6f26455637a273255b31d41d467117b69c947c526fb24b60f738f4b1fb58ee7c7b19739bb375432321caf5b543d20c17007368a1642b30e89a21ec0cb12fd
-
Filesize
342B
MD5216f0697b8ec7efd5f335ad005fab8b7
SHA15764067539971b2183cf2b4804ca1117c055c69f
SHA256996b949851c2650d890a374c1609c0921052a7dfd9b4354a829e12b6962846d1
SHA512350574e4155c4e17d50b2f0b9ca8ca2af0aca2d766b9186fe1b1e8970ac6da52567ae2d1d73cd52852a5605fcc3a8956c7c12d0a37381535667d3f31d0a0aa88
-
Filesize
342B
MD5050bfc499e6b2389dd43bfb61312290a
SHA1f338fb5857df2a3d3323bd850809d24f0f93fee0
SHA2569dc6ccf7a7950d0a1ab31c3934d777ba32f11d3b18cad6507a154aa6b5572baf
SHA5122506e012a402c4caedd326ee7c82a49130605e2ff7aeee2c211a22cfc56d8fc52529acb8642c2bb7bf6b35700ddc2566e7804c3bed958a9bbdf4e3c2e7d0875f
-
Filesize
342B
MD519bd54e6d1e58dbb5a0a53cc51a76b04
SHA1b8560ed2117ceac906864f85c0d4c3d1506cbb90
SHA256cc35fd74533dd8973bec5a2a2baf48fc58a0bc800467fd2858366e16b7a8bdfe
SHA512aebe0e1e2ca6b10cce99b0c144bdb92c1885549bb649a155f852ec8be0448b5b8ac375c29d74e304ad9cc6de7a551390fa88f3c8f0c9f27b444297d9aed06df0
-
Filesize
342B
MD55bb401708eacbe5e0058dfad9eac1cda
SHA1fe35bf0dc81997672a5a895b68e65a8c7cfeb463
SHA2566b1ef178c706bdcdd8f2c4a4dc5be2cc3e75e3d0ad351d5fdaa5f2a8b8bab88c
SHA5123f755246578ee084248df2fee4aa7d547393de96678e15e4b2885e2c715cd7ee1224328caaece53613ef89acb2d3c17129d7b83059aad441c632c8ce0aca774e
-
Filesize
342B
MD5087ead33c612eaa4f87eb0a156a4f3fa
SHA1f48035568b6baac05008f75210576fbee026f851
SHA25695425b4a5517b2c574c997d09fe0c8e171929feeb6e3f2f92972ebbb68d5601f
SHA512f8284f0ff2c3c27d23120204bc23e1002dee0a3bef3c88b999c3eafff4c5776ddaa1bb5cda7ca57b9d29ea6223fb9a817d6863366e399b28d344c5cca73e7a31
-
Filesize
342B
MD5457f5b590f9205aff6f1e3551cc51a8d
SHA1b663eced2f76f48a0b059d35599f665cf2660a1b
SHA256115d11e57579644ea237843f1fc06c80bc56638313b02ec59cd4f4b5a58718ab
SHA512d975296d7740fd30cc02082d3b7e052830bb706c5c545d8136b48acae6b7998bd96c7c1bb1c7d3db8c4dcaf86fe6f2c929c27cc8db2c56473310ed9648c774d2
-
Filesize
225B
MD5e8fe065ad4e514e45bce429d47fa744d
SHA10d1910d013c94942e16a00751cb833cb511f80c8
SHA256483329576bc7dcbd481241eb3bc439b549c14c2685baaafc7b193b45da54e10b
SHA51276f0b169a3106f164369ff90e34cafebb70a4d8846bf16339baaa1edd9f0bc5ae64cf2270c4d0fb875ea8132110e97488872b7c5962105e6071188ef23e14a79
-
Filesize
225B
MD59a1b01c41e77a76cad5e01cbb179a034
SHA1dd72e1b826606852ebd115abe476cb5af2cd4097
SHA2561d7eb4e8194b8e0b69d53525bbb60152f11cbc8ab5f85cedc1a5cae057bd0556
SHA51238e8c99ad8b58ae00bef6b02649e4baf347ef79638baeb0f37c14604b473af8583710d175f28b96bb053525202ab3f060aa94fe5de2dd6f0c47f08f9f116b73a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD57f2d302b16014616913ec4d2f81d005f
SHA1f494288dfd42f9ee8a9664ebcdcf3b8a5c94cec8
SHA2564910f2c470459d46f761cd55c3f80549a3e6c0792fe9d07a3c5dddb728a0d52f
SHA5127100a4734a0da25d400bb26881a6c1afe6fb1fc00b7567b4ac4d8e1a08d95d717513fc932b7718acb2fb84a380eefc7f6e5f41c40e2f551e6fdab36401ace6fd
-
Filesize
225B
MD5b8056730f95bc18792b0884bf838a4ee
SHA129585246664b356c0a2d7b8908691a4d11081dac
SHA25694100ad18b4ed979fc200a2719207f639717f2109607cc82dfb9418975a20d27
SHA512ba2f641cf85b2370e94d0eaf2d82a6bd9f8adcc32a4524cca13863d6870d5736500b07884f0517c61747d544a77e0a1a1bddcc029e7994b35c8815a078e0ddbe
-
Filesize
225B
MD5e83e84827deca7dcf3114123d113c49c
SHA13f5537aba24a4f0d7d2498fe44cd195ad8d713ce
SHA256259f1d273d5235a8232c31c784469425db92ca0b241e975b270c343c1f1ca26a
SHA5127bb4df81ae65af296de826581fcb97eae79a76057bfac4f217a775c0cf88f61643885d21336fbfb0ae4d24773cc6eae667d03662c1fbc225eefb51526b1a8e53
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD52fb1e4348ce78c3efba0dd358c0457ce
SHA185c0cfe896eaa1463c041ccc6d18b1868230bd2a
SHA256e5cb67e596d693863216fa70a6d7fef301fe1b1da8176bb9eeb765a49961899e
SHA51275ad635e397954ee5c3269bd398d80a73b440bf567f983a907731b3e836a2f9db5a98cf9e10ed55d5810ec656b1907097aef69fe9639214f762b99d72b1d9485
-
Filesize
225B
MD599dd3a6ac21727ed9bfe00fc6ec72dae
SHA138ac13cba371344a85cee6e16ef1c67c86001d82
SHA25679e8b8db294377e014200fc56997c1d43d358ec4bde43e2d2ca48bb2a1e56742
SHA512e3b9d4becd6594ef1bf166aafa4a75039cb6c5fe3052bb1fca5cb6415599263c226c4c3316da30516448c585ef69516fd6dedb2f2697ffd58cb5f2fb8419a07d
-
Filesize
225B
MD5643401368dec643e1e04e6787d89a185
SHA16de0ba002017a9a32e8ca6970924fe840bfee00d
SHA25691420e4033cc0ac95d14046abeafbe71bd151c38eb4d077a704e8b5a4870634e
SHA512e3b3767c9a5f308561936f0d8b749989720572eb7d49512919612bbcd09a7d03cf2a639473595aa1f972459530ff28e99cd595cd2585ebdb2712d33054361a18
-
Filesize
225B
MD55b2d0a36209a73308b6eafd687a78659
SHA14b6783822f7517094dac112bc7291d3666069d41
SHA256d7e01e03fe7a96d1f75dfae3472c4940d24d2812d6ef99ac10302f5610c5d20d
SHA512265698e87dd2aeaca414a03ad332fd00d50bca1e811aea3e5e2f25dbcaa1ed47d61ff4ea74b23325a9e093459c3e8218f5826aa5eb1ba6c78bb29a557490702f
-
Filesize
7KB
MD5f3e74d0cbd1735922471b6494276b8d1
SHA1891152217d4eba500545724e1fc6bd47c8ae5141
SHA256bb6fdaf17706d9349875340f9a3d86e0e2ec765976ff010f59b5f1f2144342da
SHA5125648cb265d71ef7c44159d77f2221c9546f3d2114971d340707e88b8ad5907b5883545d36648257285877bb75d04785b880321b5d253588a1723c2e4715fdae2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB