Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-12-2024 17:45
General
-
Target
JaffaCakes118_eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69.exe
-
Size
1.3MB
-
MD5
4b37b6b4097d944ba7d9724243c70fb4
-
SHA1
74a967fecb6f243651a035e6fdc8a46dd624ed3c
-
SHA256
eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69
-
SHA512
10e130deef7f781b6e7c66ccefc45c1708097e763077bec3f6f42f226eb1ed371c0c7e00bda189f609b03f149df921159939a65b3135d3301e22f32e2d79c432
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 11 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\ja-JP\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8okcwczJrd.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"9⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"11⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"13⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"15⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"17⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD53009bef03c644542059d5d658565cc75
SHA1f5010472c6c49d25df80ecd8683bce439b59b1fc
SHA2564c0903e687c30e6af8acc3a7ad96ac8763ec06fc1dfecf7f7860f64ea3eb5b79
SHA5129b8246c251092fe55e9ebe8ff11d94c9ae4ddace79c7585eb2dfb39cefde13b14c088833cddb54aba56244b966911a876aae83e664ad309611dd1bd8d92665d4
-
Filesize
342B
MD522358e5f1a2c45061a9cfc7755f9b71b
SHA149f53857d8942bb50b3b64d6b87aaaf412b59eb6
SHA2568824ef7aeaa2a378f75ffcd92622d2713d1ff7c5c61d67bb8e7c208569f7cf54
SHA512bb843756ab79bbd4908de49e15010bf2d503e92d0da9fe760eb35fa853292fcdbe63de156baa73b3cc88e4180dfecd55b253137b649f14aece6bd3f338988bc3
-
Filesize
342B
MD521e8af2740ac60e3ba2506b2a40b01c2
SHA1b108432d6c98d137973ecc1a6b240930995639c8
SHA256ec452bb03adf4913d291441a42cbc3bdb44060ee54c7797254f08e6a9ac0d94d
SHA51274521d40f0d1bc6c6fe97933624b2f2921326624d07138a2d07ce6ce0af651a0446c6c2f37f1762477f66fd168082d8cd5134550e4e14f04012f2af54a00122b
-
Filesize
342B
MD590e72b068d215edb824d802ec3f61ab7
SHA12515e26031a4b3325ab92f1d4e731dddeecaab7d
SHA2566614a2750ca693c80da683f9307de24e64da2a68be8573af543ebdbc6e5630ff
SHA5128fef321091043f80fd3db9ab28b9631af122d4523a381ac8cbdf7f83d73ece73953f4b3abe10b5fed034f92632086074936120ee0c15f53bd2c4635a17799ea6
-
Filesize
342B
MD5d19a2a2e00b395996691b6fdddb6b81e
SHA17d09755119e5c79efd0696d37b8e98b3345e4724
SHA25641f66b5c0ce6804155d146393c442762125ee169830eec4775db0656764c9a69
SHA5123c7be32cd6e1a62c6e6086a914670d93ade11afb7a7248fd8a447aee01228e73035507b7bfef0212a06798cde0eefd552347983ef1e2564a9e3f661a66eed031
-
Filesize
342B
MD564c82e78b19f092c8b16551c6257f099
SHA11e177c6fd7222c1773727b01ad8894e370c05fd6
SHA2562bad9da133ec8c48c3a9ddda4861cfc2457f8251c7560310fc672e49bfb7ad33
SHA5128277aacdb30060fe26bf94b9559ff22e83f3347d1b63420ad12604ccc1c21b44f60f027d6be4521fa1c73da5e7e87b22bafe19bb16c7338784dce40626796a3f
-
Filesize
342B
MD5d35972798b12e1b31c21884f590093aa
SHA150521aa67c88d08bd0786f4b72ce983d07b9c3ff
SHA2565c45b268b011b14c69f2f04d3276f62767ae0cade92bac5bcfcdf832fa910595
SHA5124040d60e0829822eaee0870358b59c59a628cdc163fc7a2f7fb0f0a29210c584fc263f01dcd2870110e16ab0115015b7812330364893a61b83b8d642ecf71a5d
-
Filesize
342B
MD58f04030446d7910c516edd9678121aa0
SHA19a3c19639be6db08d72e0afb81920a78f0172f76
SHA25651147e2eb86b1badd2d3c9a9725c8e1f854a643e9dc86bba11172d652443f20f
SHA512d29d5cafe610d517eff668a08b348350fea430df99e268b045a62c498f72cb8cf4fac64ddf36c69982eb883e7611d980c4e0b46af00e08ef7a3666be0b3292f8
-
Filesize
342B
MD50cf16e4bb4e4725711069d00564d6f46
SHA1dfc60e766df60c0c5f2eaa19dcb82da931c69b7c
SHA25689a5c3ae7386b62aa3f34290acfba17d82f16e5f18264ae44b4efb5a233c5019
SHA5120dfb79bfc77ddb2934aa528541f2abe79f42613be4b62d4f11ae67dd05268bacd393b60de2d3d6eba0a4f8002fbda76c8a20c0431cc056aa83e0ce5fa9530e01
-
Filesize
221B
MD556f7fc557664ca2da347031e60b8f8f9
SHA15125a9f0f89f8d3cd1261d1deafe621a91c3d728
SHA2564b477c53c31903a016d42ee37d13a00bc3100b1556af7679ef332c61dccf2af0
SHA512f613d2eab3122a8e90502bb1c09403ddacd8852cbc0bab7c8eeef686a7f3267a35d5b9b9d77ebb17203382099c73601d2e623ee0997b9acf081d8066b23a0e4e
-
Filesize
221B
MD571d1e3814ff64532c60f3f246e1fcfbd
SHA1204d31039d73abe19c1a29d856f8304ad7d6297b
SHA256e0b2d250d2aab26463dfb7a2693ccd954e08f9798b7ebf1def44dd9e3f26077e
SHA51226c0229feac95e85bc3a31bc01dc656a893bbea5e0784ebb69018f911584925d358609b8101c331fd45b7ec77f4d84512e259b13d1d35e1f6c245f4d0ba2f372
-
Filesize
221B
MD5348f368fa1d1f80648a4280cc09657a2
SHA1255c23020c6582664f0a1bc051a71c62ad2bf3cb
SHA2569569c8d23b0d643a8b43481ddabbd4120628fc6c382c485a1e65c696aa6fe5d1
SHA5126c0ae5bdb0bf2b2932d3099d86cdf674eb32141ba0a415d30c023158ccee652fe53c5e41ce0573c84cd13e367fabc06f580ddc18fc61b09521c5d3e926d315ee
-
Filesize
221B
MD5bccf5ac42d3075df2884cebeaae0a737
SHA17d1834969d80b964413691845c8fc18a99245d02
SHA2564e285d4035cb15fb6961a841605ff70247492e7bc3fd3ca8f96e8986e670e022
SHA512ddb0f78776719dc70198b1ddb75300b446fd0c3e15b566b6240d198bbb1f24c4f713d1292fd946c4b4ccc73c30dd1c0de021e81db3d13f1cc768db4496d7ec5d
-
Filesize
221B
MD5cfae7258e5280fa3f96a380509c860ec
SHA13855cc294aa06c84f0da019705ae246a5638b8e0
SHA256a4f17b70fc7e7515a85997c7a0ef1a905e3c5d371443951d16b9038bdcacc60f
SHA5123dd1768c2341f946617627fec272dfddbfb56fcf59f960eb01ed9693dc1b9d6c1ef954ccd6dce8302a7906e3d9f1401c4d7ceca761fbf8a822d16edadc953148
-
Filesize
221B
MD5473da60e7267883907f7317509fa71e0
SHA191abb0d223d58804a53239c490a6b4f4bd3dccd6
SHA2562b631251505b3965fd0d83abf75546e5108f67e3d20c7ebbf0f4afe7b828a043
SHA5125907043949b1df65f041f080f84f224847873df58d96e02390c01ee6c7339742d113f5850feeb1012f52142572e192bb998f29bdbc850796733da909070b7003
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
221B
MD537943127725b384ae0269d1f9cb044e0
SHA155a7ccbb9a5edd67f68d87980462257e5c3d35ea
SHA256a6cafd1b9ee5e12adb2338714f39758be512722ab0d171bcabe93698fcc09596
SHA512b0e89d1181b89bdbb445a6027cb6425e5c0d1677d550781229bbe5b8aa57d1477d1eaa46a78bde195e92d3a29cdbc248a516858bd5fcff85ac70ef9bdcf1fb9b
-
Filesize
221B
MD52f27ffec1869dd7fce54245b5b907832
SHA10cec4a7615136d1a42f576d6d376e5ffe374a5d4
SHA25629e2ca7c3b2ab84bed20acd58145a05fde1bb19fe6520701f6d3a9d83ed8fd81
SHA512062f624dadcb70c6d0f3e146a86bb3a37af5907c765cc6f8538beed579cedde2521d1d0bfdf090dd3de14dfa69771c6b15dfd52dcb251d35871c0ae712497095
-
Filesize
221B
MD52f5727b3d29e198211e5a5324789bf70
SHA1df57979ba43fd93260c20d84408e634e4d13cd42
SHA2566badd514225c83190c37b490486c08584ee3c2def501d6638248f6ad48f249ba
SHA51214e2b1b21ac50eb48fb320ee91f3e5967bc7f10507013bc4afa5731f4d7125d896daf1ea9fcd3d2dffa5e7bb3a9f0084c47147be35c76a6c88f1a8d0c0595755
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
221B
MD5dd64d5e4295c18e2900685be6b588d29
SHA1b55a1d92157e63a19d28e317e0ec5c11626ec1e6
SHA2565fc65f706da913e094691f313695c41f792816593fa62947426b47208e7b2077
SHA5128bc051d9d1ada503af69078db7d5d6a1b0b36d5ce1285f493bbdcf94a2fe4b46e5189f43b367871eee4c4251dbb6fe2113f5eeed45d5a1c3fd2b4d7ed0b9c388
-
Filesize
221B
MD5850718f663996b0bb275a3ae3eccc446
SHA194de000a62dab2642ad15f6dd9e89fbdde9323b7
SHA256d7ffa514a9e8300f4d111730a10f5c6d7bbb75829ca803a0fa6f4e43c2536099
SHA51264c004d5ab80a105c1219bbc5675fb4ed8cc63b2a4b81eae16de180e7071d2595f66f833a96ce2b09a8229f82a264eda89b05d2ed27af466fa55b493f4703f43
-
Filesize
7KB
MD57b721177f34b625d9b0184f80bb8bcfb
SHA149b31943bc098544235f5ad94025e4c0b7492cd7
SHA256d128f33feb20e821c58cf1c54158bfb8ffebea339568ffd3b8080cfaf4a59fe8
SHA512fd26a45d79afd289fc6b25a07eb7d5fe819bd45374e6dfa37243bb1a549597acf8744c8b059890bc98e59a6e236d8a57dea06bc16a6cf4da26339bd51f52e4b1
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
72KB