Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 20:19
Behavioral task
behavioral1
Sample
JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe
-
Size
1.3MB
-
MD5
bc088505e2522ab98217205c4d01bace
-
SHA1
6fff4b2725c066519eedf14c5bd9e5e71b8382b5
-
SHA256
4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43
-
SHA512
493be489851159f6858217df1b663ecc3751bcb1b4d7126e33c125615b2640e0a2e5ee92cc2046ad6f07d00625b3d11fed228ac84ef0984e41796d5b8e9047ed
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4980 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3232 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 228 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 800 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3884 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3816 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4748 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 428 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4312 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3784 3892 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 3892 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0007000000023c89-10.dat dcrat behavioral2/memory/5112-13-0x0000000000720000-0x0000000000830000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3204 powershell.exe 4040 powershell.exe 8 powershell.exe 1592 powershell.exe 3664 powershell.exe 3984 powershell.exe 3888 powershell.exe 3416 powershell.exe 2236 powershell.exe 4088 powershell.exe 3324 powershell.exe 2728 powershell.exe 1284 powershell.exe 2568 powershell.exe 116 powershell.exe 4360 powershell.exe 3168 powershell.exe 3848 powershell.exe 1308 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 13 IoCs
pid Process 5112 DllCommonsvc.exe 3668 csrss.exe 4660 csrss.exe 400 csrss.exe 4340 csrss.exe 2088 csrss.exe 2172 csrss.exe 728 csrss.exe 2036 csrss.exe 5456 csrss.exe 5640 csrss.exe 2856 csrss.exe 1020 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 55 raw.githubusercontent.com 15 raw.githubusercontent.com 42 raw.githubusercontent.com 46 raw.githubusercontent.com 53 raw.githubusercontent.com 47 raw.githubusercontent.com 52 raw.githubusercontent.com 54 raw.githubusercontent.com 56 raw.githubusercontent.com 16 raw.githubusercontent.com 21 raw.githubusercontent.com 40 raw.githubusercontent.com 41 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files\ModifiableWindowsApps\taskhostw.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Google\SppExtComObj.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\e1ef82546f0b02 DllCommonsvc.exe File created C:\Program Files (x86)\Google\Temp\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Temp\6203df4a6bafc7 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\BitLockerDiscoveryVolumeContents\69ddcba757bf72 DllCommonsvc.exe File created C:\Windows\ShellExperiences\RuntimeBroker.exe DllCommonsvc.exe File created C:\Windows\ShellExperiences\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2676 schtasks.exe 1188 schtasks.exe 2348 schtasks.exe 2044 schtasks.exe 1864 schtasks.exe 2332 schtasks.exe 2920 schtasks.exe 4440 schtasks.exe 2696 schtasks.exe 4180 schtasks.exe 428 schtasks.exe 1528 schtasks.exe 4876 schtasks.exe 3000 schtasks.exe 4488 schtasks.exe 620 schtasks.exe 1784 schtasks.exe 4808 schtasks.exe 3156 schtasks.exe 4580 schtasks.exe 5072 schtasks.exe 3884 schtasks.exe 4588 schtasks.exe 2164 schtasks.exe 4748 schtasks.exe 540 schtasks.exe 3232 schtasks.exe 5032 schtasks.exe 2596 schtasks.exe 1088 schtasks.exe 3816 schtasks.exe 4068 schtasks.exe 220 schtasks.exe 1020 schtasks.exe 2376 schtasks.exe 2316 schtasks.exe 3784 schtasks.exe 4980 schtasks.exe 1848 schtasks.exe 3032 schtasks.exe 908 schtasks.exe 2404 schtasks.exe 1768 schtasks.exe 1612 schtasks.exe 1628 schtasks.exe 2656 schtasks.exe 4660 schtasks.exe 4312 schtasks.exe 4512 schtasks.exe 228 schtasks.exe 2692 schtasks.exe 800 schtasks.exe 872 schtasks.exe 1008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 5112 DllCommonsvc.exe 3416 powershell.exe 3416 powershell.exe 1308 powershell.exe 1308 powershell.exe 1284 powershell.exe 1284 powershell.exe 3324 powershell.exe 3324 powershell.exe 3168 powershell.exe 3168 powershell.exe 4360 powershell.exe 4360 powershell.exe 3888 powershell.exe 3888 powershell.exe 3204 powershell.exe 3204 powershell.exe 3848 powershell.exe 3848 powershell.exe 116 powershell.exe 116 powershell.exe 3984 powershell.exe 3984 powershell.exe 3664 powershell.exe 3664 powershell.exe 8 powershell.exe 8 powershell.exe 2236 powershell.exe 2236 powershell.exe 4088 powershell.exe 4088 powershell.exe 4040 powershell.exe 4040 powershell.exe 2728 powershell.exe 2728 powershell.exe 2568 powershell.exe 2568 powershell.exe 1592 powershell.exe 1592 powershell.exe 2728 powershell.exe 3668 csrss.exe 3668 csrss.exe 1308 powershell.exe 3324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 5112 DllCommonsvc.exe Token: SeDebugPrivilege 3416 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 3168 powershell.exe Token: SeDebugPrivilege 4360 powershell.exe Token: SeDebugPrivilege 3888 powershell.exe Token: SeDebugPrivilege 3204 powershell.exe Token: SeDebugPrivilege 3848 powershell.exe Token: SeDebugPrivilege 116 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeDebugPrivilege 3984 powershell.exe Token: SeDebugPrivilege 3664 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 4040 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 4088 powershell.exe Token: SeDebugPrivilege 3668 csrss.exe Token: SeDebugPrivilege 4660 csrss.exe Token: SeDebugPrivilege 400 csrss.exe Token: SeDebugPrivilege 4340 csrss.exe Token: SeDebugPrivilege 2088 csrss.exe Token: SeDebugPrivilege 2172 csrss.exe Token: SeDebugPrivilege 728 csrss.exe Token: SeDebugPrivilege 2036 csrss.exe Token: SeDebugPrivilege 5456 csrss.exe Token: SeDebugPrivilege 5640 csrss.exe Token: SeDebugPrivilege 2856 csrss.exe Token: SeDebugPrivilege 1020 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3940 wrote to memory of 4984 3940 JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe 83 PID 3940 wrote to memory of 4984 3940 JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe 83 PID 3940 wrote to memory of 4984 3940 JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe 83 PID 4984 wrote to memory of 2560 4984 WScript.exe 85 PID 4984 wrote to memory of 2560 4984 WScript.exe 85 PID 4984 wrote to memory of 2560 4984 WScript.exe 85 PID 2560 wrote to memory of 5112 2560 cmd.exe 87 PID 2560 wrote to memory of 5112 2560 cmd.exe 87 PID 5112 wrote to memory of 3416 5112 DllCommonsvc.exe 144 PID 5112 wrote to memory of 3416 5112 DllCommonsvc.exe 144 PID 5112 wrote to memory of 2236 5112 DllCommonsvc.exe 145 PID 5112 wrote to memory of 2236 5112 DllCommonsvc.exe 145 PID 5112 wrote to memory of 4088 5112 DllCommonsvc.exe 146 PID 5112 wrote to memory of 4088 5112 DllCommonsvc.exe 146 PID 5112 wrote to memory of 3324 5112 DllCommonsvc.exe 147 PID 5112 wrote to memory of 3324 5112 DllCommonsvc.exe 147 PID 5112 wrote to memory of 3204 5112 DllCommonsvc.exe 148 PID 5112 wrote to memory of 3204 5112 DllCommonsvc.exe 148 PID 5112 wrote to memory of 4040 5112 DllCommonsvc.exe 149 PID 5112 wrote to memory of 4040 5112 DllCommonsvc.exe 149 PID 5112 wrote to memory of 3848 5112 DllCommonsvc.exe 150 PID 5112 wrote to memory of 3848 5112 DllCommonsvc.exe 150 PID 5112 wrote to memory of 1308 5112 DllCommonsvc.exe 151 PID 5112 wrote to memory of 1308 5112 DllCommonsvc.exe 151 PID 5112 wrote to memory of 2728 5112 DllCommonsvc.exe 152 PID 5112 wrote to memory of 2728 5112 DllCommonsvc.exe 152 PID 5112 wrote to memory of 116 5112 DllCommonsvc.exe 153 PID 5112 wrote to memory of 116 5112 DllCommonsvc.exe 153 PID 5112 wrote to memory of 2568 5112 DllCommonsvc.exe 154 PID 5112 wrote to memory of 2568 5112 DllCommonsvc.exe 154 PID 5112 wrote to memory of 1592 5112 DllCommonsvc.exe 155 PID 5112 wrote to memory of 1592 5112 DllCommonsvc.exe 155 PID 5112 wrote to memory of 3168 5112 DllCommonsvc.exe 156 PID 5112 wrote to memory of 3168 5112 DllCommonsvc.exe 156 PID 5112 wrote to memory of 8 5112 DllCommonsvc.exe 157 PID 5112 wrote to memory of 8 5112 DllCommonsvc.exe 157 PID 5112 wrote to memory of 1284 5112 DllCommonsvc.exe 158 PID 5112 wrote to memory of 1284 5112 DllCommonsvc.exe 158 PID 5112 wrote to memory of 3664 5112 DllCommonsvc.exe 160 PID 5112 wrote to memory of 3664 5112 DllCommonsvc.exe 160 PID 5112 wrote to memory of 4360 5112 DllCommonsvc.exe 174 PID 5112 wrote to memory of 4360 5112 DllCommonsvc.exe 174 PID 5112 wrote to memory of 3888 5112 DllCommonsvc.exe 175 PID 5112 wrote to memory of 3888 5112 DllCommonsvc.exe 175 PID 5112 wrote to memory of 3984 5112 DllCommonsvc.exe 176 PID 5112 wrote to memory of 3984 5112 DllCommonsvc.exe 176 PID 5112 wrote to memory of 3668 5112 DllCommonsvc.exe 182 PID 5112 wrote to memory of 3668 5112 DllCommonsvc.exe 182 PID 3668 wrote to memory of 6112 3668 csrss.exe 184 PID 3668 wrote to memory of 6112 3668 csrss.exe 184 PID 6112 wrote to memory of 1004 6112 cmd.exe 186 PID 6112 wrote to memory of 1004 6112 cmd.exe 186 PID 6112 wrote to memory of 4660 6112 cmd.exe 188 PID 6112 wrote to memory of 4660 6112 cmd.exe 188 PID 4660 wrote to memory of 3364 4660 csrss.exe 197 PID 4660 wrote to memory of 3364 4660 csrss.exe 197 PID 3364 wrote to memory of 2276 3364 cmd.exe 199 PID 3364 wrote to memory of 2276 3364 cmd.exe 199 PID 3364 wrote to memory of 400 3364 cmd.exe 207 PID 3364 wrote to memory of 400 3364 cmd.exe 207 PID 400 wrote to memory of 3596 400 csrss.exe 210 PID 400 wrote to memory of 3596 400 csrss.exe 210 PID 3596 wrote to memory of 2692 3596 cmd.exe 212 PID 3596 wrote to memory of 2692 3596 cmd.exe 212 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\unsecapp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:6112 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1004
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2276
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2692
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"12⤵PID:4392
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2952
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"14⤵PID:5692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:5732
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2172 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"16⤵PID:2404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4856
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"18⤵PID:5344
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:6132
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"20⤵PID:5248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:5444
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"22⤵PID:5868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:5724
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"24⤵PID:3640
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:4572
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"26⤵PID:5936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4844
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"28⤵PID:3172
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:5772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\providercommon\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellExperiences\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellExperiences\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\providercommon\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
160B
MD50801140f712d2030ed88ba23e38bbd0d
SHA14cf878db9e10542849b22ecfb6d7b24ab4433a77
SHA256b3f65831eea08bf9948d28f9752592724d9148d7032a99e22930b00b6a3dc34b
SHA5127584e8373882508af0a5b13da3f05cffbca5e0ce75e90f985dbcccda90e1526a4dac586f50356e9f829b385aa0059fc23e363c3f098384cde3e49a3dfaf5bc86
-
Filesize
230B
MD5040b9ba53d79481b843d13d3319ac0a6
SHA123b374dbbe124aed0711dbf62e9634588b52917f
SHA256ba31e85577481ce76d48258e7eb2d4b38d12655fc594562baad1e46f1989085b
SHA51296814ac062d15bbe40e90c2f98a0b79decb92e4b70aeab5d34d6ce3d8bc68226fe9071d8c789c0b2e8ace675dab060629d021696f17ad34d0bd3f567d96c29d0
-
Filesize
230B
MD5e1bad98b2ab70e21e5787808abb093ab
SHA18026634ea4a660a1ede5a74ee8e3fcc82f63d7e0
SHA25609b7de1c62827011158503f858537d02552d7537ca4b346fd7842f517170df82
SHA512c400af26fa67a0795ee77685b0c179c613eb945b6eb5554ce11fcd6ea3045137b894302b131119daa73109ac54638f3a3d328f5837caf5163170f0d5e1cf9194
-
Filesize
230B
MD56154ab6ccca433dd52ceec3a8f835757
SHA113e653c223c52e6eaec3984cdd6e20e9a14b0bd3
SHA256b04fc28906c0d1718f03459501ffe2c31193e284a58e619f353dee2a6de80472
SHA5121b7c6181103b9733ef35464fb6bfc9bf9a02d3cb4de40fc9494a620c13815f34c8f73e0fb1772612e47ac8129bcf52468ef1c13773d06dc1bfd6adc3eb0ebd82
-
Filesize
230B
MD5ef1127e7152a58ee355e8acebc29108e
SHA100420f26bd43fab3a6ad1f0e26f0ab3a998774ab
SHA256132cd4cc5250644a368405c0802dcaea51929ad948d9ba27e9ffffe88fcdf79f
SHA512cd24154211baf1104436a2c9d3f266f132a0d3167ca4802c9e5ecc7c7e81af62273bf2a072eb9e81f3a3bb4e4aedc0ce9f0ca45b293fa8203361f41bce3f3266
-
Filesize
230B
MD5d0dac5f5223a48f21c31c33afca0a4c9
SHA11fbca4295b24e397282fd595f8ff1ce516f49648
SHA2562f2167cc642f495b46ced96fa94d593acb8e11db3355b5c8b4315f200c0f7586
SHA51294d0e6cd80ccda8d10eb966bdb7022a64b64c2da3e10d75009d92d9d7e5b58fa229e85e333b8883bbb51de55636344841a3bf596c875cffe6136426ae8915c71
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
230B
MD50a143f61c39308080dff1935828e421f
SHA171c57b8f75898a68f2d44fae2e50b29b8cb897fb
SHA256c54ff8c3558c6fd5821d05c1da8650a170c221cf21d22a78e646f51bb17eaead
SHA512fbd11553a1863dc4739d83fe0fc59a091841a8e3c9ddbcf2d6143dfa68d2a6c2518afbae8e6625e673a486f1de659868ae4b0c22db772a8faad128bfff81012e
-
Filesize
230B
MD56ad4448d5170cb6eeab3848605658fb9
SHA11d081e53f4a2330ddfcb8bb0c40ef46b89daf34d
SHA2566292b1c2eecec2f7c49ff7cd9a8fb8fd55bef24a06e353f2882f5f95d0055e87
SHA512b3b1cbe4cd647a983f12720de586f71127ed42dbfed5780621d36909371c2c791f684e361640db1bc427639fa4a8a18d0c0379ba555a2829fe1c729f6ebdbcfe
-
Filesize
230B
MD5565efd6496648a9d2f92191ff5990bd6
SHA100a3bd22afaf55e7d272ac3a8b6bc406485c4983
SHA256043774c1aaa735010b213e534fdb9ba56175ecc8f7143d428517e1fd89b9ef59
SHA512dd6eed7892e3e82e2c32619e82afc93d8ab7a8a4f62f920e5e330a1b1446908c034c807ce955292dda3bed006a9d38b255a5db66b909e10018b7c4270b58a0e3
-
Filesize
230B
MD52e57a4a094c9c2d1a49a1ce9ef27dfa9
SHA1c4e16d22cd4b139efbb7a38db78ae849f9a06e1b
SHA2560f32ad568d0b1c0afe92c5296d6a4c001b3b94c17a58c7546e30c514b7d60830
SHA512b6661e43f13ae2a8b8566faf2ead35a977cf08f1ec517c6f6b9044d553e192afaa95456438eb8d3a676ee6c893ba7697ec854811dced7d5c5589494c70e8043a
-
Filesize
230B
MD5d9ac2e07ed9cdf3aeacb5dbbe1d40f21
SHA13d682a04f8f058080ab83e0686878b1d0ff43589
SHA2561fa54bebec220cf0ceebd49a1d70a3a8e60ebf89345479f5acfcc26a578459c2
SHA5128255a3ce3b80bf58093d26bbb2674a399ce111c4095d3c7e6ec1991b0cc89c580abdf62d9ae2dde754087615e0dced1cf6950c2b38686264a3e257d4ce92baeb
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478