Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
23-12-2024 12:48
General
-
Target
JaffaCakes118_3d6b0e170f00d2df0c905b0221b1905ee55077c740435c281d8fa6156b0e8627.exe
-
Size
1.3MB
-
MD5
726eb57e49f830c29c2b10251cd8b9d3
-
SHA1
07a74788ce656eabab1f9a0eeb581b7ac4214f2d
-
SHA256
3d6b0e170f00d2df0c905b0221b1905ee55077c740435c281d8fa6156b0e8627
-
SHA512
07efbaeaa70541fdd8bf66127aef4d525e66feb536b375b36b8d23b9c47262f7c4a2a16b33e2367bc3d69ac3739626f3f43ab3ed2f869b789d6ee95d718e6feb
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 11 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d6b0e170f00d2df0c905b0221b1905ee55077c740435c281d8fa6156b0e8627.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d6b0e170f00d2df0c905b0221b1905ee55077c740435c281d8fa6156b0e8627.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Resources\Ease of Access Themes\wininit.exe"C:\Windows\Resources\Ease of Access Themes\wininit.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Windows\Resources\Ease of Access Themes\wininit.exe"C:\Windows\Resources\Ease of Access Themes\wininit.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Windows\Resources\Ease of Access Themes\wininit.exe"C:\Windows\Resources\Ease of Access Themes\wininit.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Windows\Resources\Ease of Access Themes\wininit.exe"C:\Windows\Resources\Ease of Access Themes\wininit.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Windows\Resources\Ease of Access Themes\wininit.exe"C:\Windows\Resources\Ease of Access Themes\wininit.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Windows\Resources\Ease of Access Themes\wininit.exe"C:\Windows\Resources\Ease of Access Themes\wininit.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Windows\Resources\Ease of Access Themes\wininit.exe"C:\Windows\Resources\Ease of Access Themes\wininit.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Windows\Resources\Ease of Access Themes\wininit.exe"C:\Windows\Resources\Ease of Access Themes\wininit.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Windows\Resources\Ease of Access Themes\wininit.exe"C:\Windows\Resources\Ease of Access Themes\wininit.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\Windows\Resources\Ease of Access Themes\wininit.exe"C:\Windows\Resources\Ease of Access Themes\wininit.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"24⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Links\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\it-IT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD54d63aac8c434b5b39e338bcdb777b77e
SHA1f14d0705dc033b30a5b1d6a7ec925be34910809b
SHA256c57c3ba3d1178b1bd6f12106b7a457f513e3a7b0d098f5e6fc3bc511909d3f2f
SHA512865a44b9e10c2bf08d06f64487f9a7ec9d50b793a7c792426284fa649576d2c0d8f6cdf365b255e033f727fc711e0864b3fe45cf665c27e1bf9297f90df8d8a3
-
Filesize
342B
MD547396fe601fc7da7f443ae94eed2bfc1
SHA1e01b1f6619636a75ebe8ef89bdd91cc700c0cd2b
SHA256ef008f4a6a2786d80ab1b2f6bd240c99d00f698ad6beb07a288463f253c2e028
SHA51282a23a19c2c0970432d7abe93b74f952ace671e9818fd39c9f61ce7863e38219856e0013492c5518222978530b39e61693bb486e9acc0e7b1511c8415e128222
-
Filesize
342B
MD5b6adad6ff7a3ff21ae1a729d4eb0eaba
SHA1612ebe3293616e638f189a3a5d1ca7914860c3f7
SHA2565be892f687099fee45d7b2c82a77ba7bb11a3ce5e58e64189dd3092e18ec9b16
SHA51209a046fb7273fb9ab3404bd3d23370885f90ac2f2440698d5f75e1516ee6f73636724e31f835b64860bd04e5991929e094f44dbf2a962a5beac0ed3f0edeb626
-
Filesize
342B
MD53abcd01f6cd5d942ff040465100c0b4b
SHA1b885456dbf4265ab789cfe56396215e959ce72e4
SHA256071ad07310b355259839382b7f23ae5f328b5c62890766eaab4718dcaac18eb2
SHA512f9c2c660934bb063a932264475673be09d69b10f0de30b59a48b96899fbc78c178d4b69655c667860290b0cc8283eac67764f6ec7ac11ae9deabb9d24200fecc
-
Filesize
342B
MD56c0489351675b269094fed9e0f0cd8f2
SHA18013b1a66e0da7641cc94678664983a66b1b2205
SHA2561b04c13b8385a34fa043bd08b25c50bdd77aaae17280484bc0d706e7322fc038
SHA512c281c0da517d82253ba844aaa428bb89fc1eaccf16633252b8113a391ffd70daab0245f9b37e07ce4aa2cf06de023eb68b0c01e437456b04d65649d4a1ee5696
-
Filesize
342B
MD5dfa05f53f4c102206cf480c782602a49
SHA1e19e4f7bcabe96a88d5d0d3c18a02692a7547b9a
SHA256bd87f2af3c501766515c451bbb07a8a449756d0f471c2bc715594e690617b21a
SHA512afb612aa7c76148cb32c3b502467237b2f0d10a078d6d71eaea38653055a340ca0ca196632ad4172c34db195e60e125e4a9a85399c0e56dcc59b8847326e19ae
-
Filesize
342B
MD533d17a69d3d4d1273e7a688985e26c8a
SHA17001549415518835566c73db740471b82a756948
SHA2566171fb100eefc4ce1934a7cfcf329ea41ca9cb38606885a0555cbc094715548e
SHA51285e793a2586520530cd1dd08f68b9513f184b673c68be0f80bc030f27d696a056cc5ebcf7ad6aaba3508441039afaf8893734555725ef068928695a8fced7cd9
-
Filesize
342B
MD546476b26e5a9c4b89761419595e0c408
SHA1306cc4209df7c876686233ff3f2b1449f9aff2bb
SHA2567a862df719f7b1d602c1237ee5a86a12b74b3a3fc25298795e71186baba79d19
SHA51271b6431774f46b273609fc56eed2405ab1627dc99a91f31f84d66bddbc9b22e08d515c1dd0906e1d1acc1d757596fd6a29862d1b7cf897e5c8ae74e48de7f6f9
-
Filesize
342B
MD54cdae15dae1feef37be70e28d5ab09f0
SHA1234545da753d5d6d3cf94c769d49517e1528f1ec
SHA256553b86a3dd30cddb80ee729cab4533cca3cb66f898eb04b8ebba4a921a81fcde
SHA512d21d2ab5281935bd5898c90ed665b70ce61c98d39a27c2f93093b39726160aab3894fcb70a5649538d9eadc2d9c78c8593bf0f055a2a28792f677b4de4b5a3d2
-
Filesize
219B
MD5a0838a836db427b4073b99b494c42693
SHA1adea89f2e3a4ac4a58413e0fca40bba5f8b2df05
SHA2561f6e103cb6f81e9b4d7fc41cf14c9489a1cd83f238fc34582bd982efc9ef26f6
SHA512c4812ce6021925d86be2fa5583b9575cddf6db2cded2a7f4092323ce0732bcacc5a710e03692331852e4aa9a27dbde5672a3cdf1e5684c29c71af2d9873cacd3
-
Filesize
219B
MD51c74435b0ae4d37076a86852ff0c3116
SHA1f01ec65354a467786db5f6b035e1322e2edf7651
SHA256f1c7b810791f19cdee242e0458b53b32edaeb75f9f6228cd4e858013c9279777
SHA5126929edf767efeb3418334a847bff1e15dad0f358c1399db67b3ee37bde10bd5c77d95b8608c7f0f6c9bcd46518295df4e47bf8bdaab193c62161eae260ec1eb7
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
219B
MD5111e90af197c6361838210cfacb69c13
SHA180d3154fd291a8c1562db0bf19233c307d7708c7
SHA256262c851fe70de6defaac4b9106fded55f3948f77ce2c757113c707b543097529
SHA51287a39c12c13319f4f954b9b04c2679b7102b460445f99123a0f85ba0135ce3f07d57ad037ee5320cb697b366898a2251748bd44d2ac5940b61264aab63ce8ab3
-
Filesize
219B
MD5deb44ff8ad641b79621936846dd41551
SHA145a3fbad8e81233c91d2592cbdd07ad9f66708ad
SHA256976255b1e42dbc22dbc26c9a1b7a860555b8ac2c789b9b2a07ebbe3cc047bda1
SHA512e4df1ba2ad98f11ce87dced97207f7fb127ebeafc917bbc55713e15a909582fd47480858b3e19898ff7aacb656de50c81e143297fbea52a560778e39b6c9cf49
-
Filesize
219B
MD5a2fdb4e644e49d20ab6cb7b9e4c33565
SHA168547037c59fb5cbf08f517e27b7754c5e1b366b
SHA256ab7d53d682da83c0ff569d85887a2a8d15215f99c55ebda0250b0aa2b52a9f26
SHA512a461319828c8078c61ea1f2f5aee6193708c9eed86db1a81a471bc9c14d11f76f3fc9855f917f37653216ccb2d21aa7db97c59448200f26160d44236beace42e
-
Filesize
219B
MD5b13458fe4682a3315a8bfd2a5ad6f244
SHA1166013484e552078c09560b4ff52f9c56fb1e237
SHA256b35adce4457ecd2bc755fd518f70defad9dfd3d6f3c99d3f2975bc0bcd23faa6
SHA512cc3bc76105486018ee2aa0f834f33dcc628107c96e7bd222805d0f81c20dda3c37a0998f7f46506c934c7894f951bec8ec39037ca3d6c7492651633cad3140a6
-
Filesize
219B
MD5020b440bd7647af79b2bc79347108c40
SHA15f962c0c63115928c41ac97fb14c9ab2932fd6df
SHA256b85759f70cf3834a3338fa12f6e1a0783135575aaf09cb7c84a22b97496e21db
SHA512c8743e1e20923e18876d62915c0caeec5fdb0df86b1d1841c38ea70324d071750a7b6c86d12908aff947dc394939e1160df3db4b499d3769d58e734abbd0349c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
219B
MD5d7aa73dc77a5ccae715e23934537b5af
SHA1c20009c8371788a562c56f5e068b658e06fb8204
SHA256290f24d58c37659b809d6f33eed58bfb1def1bb4c17fd96066bdc011df58914e
SHA51242136fa544b5e1408a3aa25cc5ecfc5aa4f71696e8ad39a0b06bd67626ba952d89f08c856f76e65cee9df213a321e70d03fe1cfff8b40eeda71254fe0e39d4e2
-
Filesize
219B
MD591cba77c0df2847521845e6f241dcb13
SHA144274f657c1bee102dae42dfd2ed776eed84c6de
SHA256d7614b8dc90b6a273e5e5fb29b8ac08ddd1a7202f6cf1fbf3cc05d7b04b0eca6
SHA512d3623bba73815f0ed0abac4f9992de43b72ccbc5d46cdeb481d4a4ba485bf13e8541a96abe4646b92225ec06b9a7bcab1fe47d51fad44db6f78ca293d4a9a5d8
-
Filesize
219B
MD596d444218534e0e49b789d821e6bb85d
SHA136dbe758d2f262b8f97dd712d2e0cdfcce427865
SHA256c22d75edcfaea8c13b964c9593716e8570913cfae8f8c0fac347ef1fe91c8dd8
SHA51227fcb764764f5f231f9442c7144dbdef7bd4ad4c2625b14cfe6ef8df335f12de3fef4a71a789d65018ece067fcfa4ed9111f2b854ca63e439b4e188dba1f6f2b
-
Filesize
7KB
MD528a3af5dd67bd6c8187bd7b7547572bc
SHA179bf581ad3a71d261a3a097729f41542c92fe1c5
SHA256dc3e5e023a1140d02b9dd50faf7c14cba3a2f41d73cba91c30c1e38ebde3dfa0
SHA5123b1b524a4bb798a8b3ebe1908f06a907bc802fff3e46249f09d92b53b8e7f899029b3938508f8c3d3a63be80ea993899d198a38dd7a607a61c11bec6d9b014b4
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
2.9MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB