Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 18:51
Behavioral task
behavioral1
Sample
JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe
-
Size
1.3MB
-
MD5
9386df2b0f289298e968f2b7497ec9dc
-
SHA1
54df6c886cdccd6b6c29f98cd1a6d0c632dbe3b5
-
SHA256
9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151
-
SHA512
f34942ca102b184811d128fa3042db4a98ece3f9ad79b4315d634147a8b2026f435d8fdec9db5c59de03a059d8829a0b9d4043ea4c8bed3e843c8c37154a500b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3480 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3732 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3696 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4708 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4280 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4308 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3424 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3744 4024 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 4024 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000a000000023b7a-10.dat dcrat behavioral2/memory/4360-13-0x0000000000380000-0x0000000000490000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1172 powershell.exe 4988 powershell.exe 440 powershell.exe 1448 powershell.exe 1016 powershell.exe 4444 powershell.exe 3736 powershell.exe 3168 powershell.exe 2416 powershell.exe 2328 powershell.exe 1852 powershell.exe 3228 powershell.exe 3688 powershell.exe 116 powershell.exe 1464 powershell.exe 4544 powershell.exe 4560 powershell.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation smss.exe -
Executes dropped EXE 16 IoCs
pid Process 4360 DllCommonsvc.exe 1832 DllCommonsvc.exe 3140 DllCommonsvc.exe 516 smss.exe 2232 smss.exe 2416 smss.exe 2208 smss.exe 1248 smss.exe 2328 smss.exe 1192 smss.exe 3876 smss.exe 412 smss.exe 4028 smss.exe 3536 smss.exe 1496 smss.exe 872 smss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 27 raw.githubusercontent.com 38 raw.githubusercontent.com 39 raw.githubusercontent.com 42 raw.githubusercontent.com 51 raw.githubusercontent.com 52 raw.githubusercontent.com 17 raw.githubusercontent.com 18 raw.githubusercontent.com 48 raw.githubusercontent.com 50 raw.githubusercontent.com 53 raw.githubusercontent.com 43 raw.githubusercontent.com 44 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Windows NT\Accessories\es-ES\e1ef82546f0b02 DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\powershell.exe DllCommonsvc.exe File created C:\Program Files\Java\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\Java\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\es-ES\SppExtComObj.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\e978f868350d50 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\es-ES\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\es-ES\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\hrtfs\886983d96e3d3e DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\twain_32\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\twain_32\a76d7bf15d8370 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings smss.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings smss.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1028 schtasks.exe 2676 schtasks.exe 2564 schtasks.exe 1624 schtasks.exe 1668 schtasks.exe 4448 schtasks.exe 4404 schtasks.exe 2316 schtasks.exe 3744 schtasks.exe 1292 schtasks.exe 4460 schtasks.exe 4804 schtasks.exe 2836 schtasks.exe 2848 schtasks.exe 956 schtasks.exe 2024 schtasks.exe 3156 schtasks.exe 4876 schtasks.exe 1332 schtasks.exe 1864 schtasks.exe 1452 schtasks.exe 3732 schtasks.exe 3696 schtasks.exe 896 schtasks.exe 4504 schtasks.exe 1096 schtasks.exe 1724 schtasks.exe 2580 schtasks.exe 3480 schtasks.exe 4952 schtasks.exe 4772 schtasks.exe 4708 schtasks.exe 4884 schtasks.exe 2060 schtasks.exe 956 schtasks.exe 4308 schtasks.exe 3424 schtasks.exe 1316 schtasks.exe 2652 schtasks.exe 1328 schtasks.exe 4912 schtasks.exe 4280 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4360 DllCommonsvc.exe 4360 DllCommonsvc.exe 4360 DllCommonsvc.exe 4444 powershell.exe 4444 powershell.exe 3688 powershell.exe 2328 powershell.exe 1832 DllCommonsvc.exe 3688 powershell.exe 2328 powershell.exe 1832 DllCommonsvc.exe 1832 DllCommonsvc.exe 4544 powershell.exe 1172 powershell.exe 4544 powershell.exe 1464 powershell.exe 116 powershell.exe 1172 powershell.exe 3140 DllCommonsvc.exe 1464 powershell.exe 116 powershell.exe 3140 DllCommonsvc.exe 3140 DllCommonsvc.exe 3140 DllCommonsvc.exe 3140 DllCommonsvc.exe 3140 DllCommonsvc.exe 3140 DllCommonsvc.exe 3140 DllCommonsvc.exe 3140 DllCommonsvc.exe 3140 DllCommonsvc.exe 3140 DllCommonsvc.exe 3140 DllCommonsvc.exe 3140 DllCommonsvc.exe 3140 DllCommonsvc.exe 3140 DllCommonsvc.exe 2416 powershell.exe 440 powershell.exe 440 powershell.exe 1448 powershell.exe 1016 powershell.exe 4988 powershell.exe 4988 powershell.exe 3168 powershell.exe 3168 powershell.exe 3228 powershell.exe 3228 powershell.exe 1448 powershell.exe 1016 powershell.exe 4560 powershell.exe 4560 powershell.exe 1852 powershell.exe 1852 powershell.exe 3736 powershell.exe 3736 powershell.exe 440 powershell.exe 2416 powershell.exe 2416 powershell.exe 516 smss.exe 516 smss.exe 1016 powershell.exe 3228 powershell.exe 4988 powershell.exe 3168 powershell.exe 1852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 4360 DllCommonsvc.exe Token: SeDebugPrivilege 4444 powershell.exe Token: SeDebugPrivilege 3688 powershell.exe Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 1832 DllCommonsvc.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 116 powershell.exe Token: SeDebugPrivilege 3140 DllCommonsvc.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 440 powershell.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeDebugPrivilege 4988 powershell.exe Token: SeDebugPrivilege 3168 powershell.exe Token: SeDebugPrivilege 3228 powershell.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 3736 powershell.exe Token: SeDebugPrivilege 516 smss.exe Token: SeDebugPrivilege 2232 smss.exe Token: SeDebugPrivilege 2416 smss.exe Token: SeDebugPrivilege 2208 smss.exe Token: SeDebugPrivilege 1248 smss.exe Token: SeDebugPrivilege 2328 smss.exe Token: SeDebugPrivilege 1192 smss.exe Token: SeDebugPrivilege 3876 smss.exe Token: SeDebugPrivilege 412 smss.exe Token: SeDebugPrivilege 4028 smss.exe Token: SeDebugPrivilege 3536 smss.exe Token: SeDebugPrivilege 1496 smss.exe Token: SeDebugPrivilege 872 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4504 wrote to memory of 1988 4504 JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe 82 PID 4504 wrote to memory of 1988 4504 JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe 82 PID 4504 wrote to memory of 1988 4504 JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe 82 PID 1988 wrote to memory of 5008 1988 WScript.exe 83 PID 1988 wrote to memory of 5008 1988 WScript.exe 83 PID 1988 wrote to memory of 5008 1988 WScript.exe 83 PID 5008 wrote to memory of 4360 5008 cmd.exe 85 PID 5008 wrote to memory of 4360 5008 cmd.exe 85 PID 4360 wrote to memory of 2328 4360 DllCommonsvc.exe 93 PID 4360 wrote to memory of 2328 4360 DllCommonsvc.exe 93 PID 4360 wrote to memory of 3688 4360 DllCommonsvc.exe 94 PID 4360 wrote to memory of 3688 4360 DllCommonsvc.exe 94 PID 4360 wrote to memory of 4444 4360 DllCommonsvc.exe 95 PID 4360 wrote to memory of 4444 4360 DllCommonsvc.exe 95 PID 4360 wrote to memory of 1832 4360 DllCommonsvc.exe 98 PID 4360 wrote to memory of 1832 4360 DllCommonsvc.exe 98 PID 1832 wrote to memory of 1172 1832 DllCommonsvc.exe 109 PID 1832 wrote to memory of 1172 1832 DllCommonsvc.exe 109 PID 1832 wrote to memory of 1464 1832 DllCommonsvc.exe 110 PID 1832 wrote to memory of 1464 1832 DllCommonsvc.exe 110 PID 1832 wrote to memory of 116 1832 DllCommonsvc.exe 111 PID 1832 wrote to memory of 116 1832 DllCommonsvc.exe 111 PID 1832 wrote to memory of 4544 1832 DllCommonsvc.exe 112 PID 1832 wrote to memory of 4544 1832 DllCommonsvc.exe 112 PID 1832 wrote to memory of 3140 1832 DllCommonsvc.exe 117 PID 1832 wrote to memory of 3140 1832 DllCommonsvc.exe 117 PID 3140 wrote to memory of 3736 3140 DllCommonsvc.exe 145 PID 3140 wrote to memory of 3736 3140 DllCommonsvc.exe 145 PID 3140 wrote to memory of 4988 3140 DllCommonsvc.exe 146 PID 3140 wrote to memory of 4988 3140 DllCommonsvc.exe 146 PID 3140 wrote to memory of 440 3140 DllCommonsvc.exe 147 PID 3140 wrote to memory of 440 3140 DllCommonsvc.exe 147 PID 3140 wrote to memory of 3168 3140 DllCommonsvc.exe 148 PID 3140 wrote to memory of 3168 3140 DllCommonsvc.exe 148 PID 3140 wrote to memory of 1448 3140 DllCommonsvc.exe 149 PID 3140 wrote to memory of 1448 3140 DllCommonsvc.exe 149 PID 3140 wrote to memory of 2416 3140 DllCommonsvc.exe 150 PID 3140 wrote to memory of 2416 3140 DllCommonsvc.exe 150 PID 3140 wrote to memory of 4560 3140 DllCommonsvc.exe 151 PID 3140 wrote to memory of 4560 3140 DllCommonsvc.exe 151 PID 3140 wrote to memory of 1016 3140 DllCommonsvc.exe 152 PID 3140 wrote to memory of 1016 3140 DllCommonsvc.exe 152 PID 3140 wrote to memory of 1852 3140 DllCommonsvc.exe 153 PID 3140 wrote to memory of 1852 3140 DllCommonsvc.exe 153 PID 3140 wrote to memory of 3228 3140 DllCommonsvc.exe 154 PID 3140 wrote to memory of 3228 3140 DllCommonsvc.exe 154 PID 3140 wrote to memory of 516 3140 DllCommonsvc.exe 165 PID 3140 wrote to memory of 516 3140 DllCommonsvc.exe 165 PID 516 wrote to memory of 2044 516 smss.exe 172 PID 516 wrote to memory of 2044 516 smss.exe 172 PID 2044 wrote to memory of 676 2044 cmd.exe 174 PID 2044 wrote to memory of 676 2044 cmd.exe 174 PID 2044 wrote to memory of 2232 2044 cmd.exe 175 PID 2044 wrote to memory of 2232 2044 cmd.exe 175 PID 2232 wrote to memory of 1428 2232 smss.exe 177 PID 2232 wrote to memory of 1428 2232 smss.exe 177 PID 1428 wrote to memory of 116 1428 cmd.exe 179 PID 1428 wrote to memory of 116 1428 cmd.exe 179 PID 1428 wrote to memory of 2416 1428 cmd.exe 181 PID 1428 wrote to memory of 2416 1428 cmd.exe 181 PID 2416 wrote to memory of 1048 2416 smss.exe 182 PID 2416 wrote to memory of 1048 2416 smss.exe 182 PID 1048 wrote to memory of 5032 1048 cmd.exe 184 PID 1048 wrote to memory of 5032 1048 cmd.exe 184 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\SppExtComObj.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\TextInputHost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\es-ES\RuntimeBroker.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:676
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:116
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:5032
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"14⤵PID:5028
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1292
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"16⤵PID:972
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:400
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"18⤵PID:5008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3700
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"20⤵PID:4420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:4668
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"22⤵PID:2688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:64
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat"24⤵PID:1576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1356
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"26⤵PID:3932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1016
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"28⤵PID:4044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:864
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"30⤵PID:1320
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:4280
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\providercommon\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Java\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\twain_32\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\providercommon\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD5e2efbfd23e33d8d07d019bdd9ca20649
SHA168d3b285c423d311bdf8dc53354f5f4000caf386
SHA256f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828
SHA512b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443
-
Filesize
944B
MD59b57902ba8287ea15038da415e6f0f01
SHA1981d0ce5838ca2940c8cf128412ff56a35344587
SHA256d4c911bc6521a4f84436dc95db7cf0be7942517a7af909e8e9531d10d9c4d84b
SHA512fc80f90cecaf1cdc18edcc4c543e31b50169fcf34888b7b9767c08fe89949f0153a43b32c1223e432b59a4d7b3e73bcfa3adf569ab3fcc82f03a8ce925e2e070
-
Filesize
944B
MD52d06ce10e4e5b9e174b5ebbdad300fad
SHA1bcc1c231e22238cef02ae25331320060ada2f131
SHA25687d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c
SHA51238cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7
-
Filesize
944B
MD5a9451a6b9669d49bd90704dff21beb85
SHA15f93d2dec01a31e04fc90c28eb1c5ca62c6fff80
SHA256b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056
SHA51206634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5
-
Filesize
944B
MD5731b557e0ee947ffea50ddda1428652d
SHA186d1fb26c97231eb9644f4d6d9ac7fc2636e58be
SHA25659f81e22931690346777739fb36d5e262c4d3e91aa2ef466925d9500e5951add
SHA512664d368f2cc51dffd46036fea01c18da1a87f6cf301b0d983ac580b00f2abea11e66370c4ef40428d24e225b061ea409e87e926ddc3842e782a36e337f9fb906
-
Filesize
944B
MD5816d03b14553d8d2cd19771bf135873f
SHA13efdd566ca724299705e7c30d4cbb84349b7a1ae
SHA25670d3acdba0037de3d175aca44a86daf8392b2350f6f8b026b7accb02f95a9304
SHA512365ac792e05619e5ef42b40f1e4dd5d1ebb18a5a409be9c5428e52be7896f4b18eef2a93a4e0f5e1930996bf70798fe45fc5b6d829687d975191015944dbbdbd
-
Filesize
944B
MD5c65338524586fc00cf00e679a7d4a1f4
SHA162abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae
SHA256faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6
SHA512c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD515dde0683cd1ca19785d7262f554ba93
SHA1d039c577e438546d10ac64837b05da480d06bf69
SHA256d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA51257c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672
-
Filesize
191B
MD5e6475aeedafacf61972fcd9a828f4ec1
SHA1fc2be0e7e5ba587d9f1c4382fb40ae7efc48e718
SHA2562e63d983238011ac6a5e1d1406f61aa176de8da5c012f7c41068b8a2b709c9a9
SHA512e4a8b5b7c1e74de0648389804cec7d78dcb750b18976e40d1c804116b66477fdee65e821ee9e40bfe309f1a86eea17913b9451a6414232e2d028b58793cc7913
-
Filesize
191B
MD59420738fee254b1a35d73f145fca83b6
SHA1bc6b15a901f5322c3c3fc71b0ec1f40cee77aaff
SHA25664357b7820d668fa9c8912c8971b60406d804d53900fb989db4ea0814aeb0428
SHA5129d662e6c5df5b97076f819d2d154913659cededc23098949fe275011211b4d02f896b8a8a6e14893f9c22dc15156cf53e186897d4f246c592e845cbde2726da6
-
Filesize
191B
MD5a323156b939b952841fb0e3a99a5bb84
SHA15c7665c5dc53bb11f54f07447c2bd37fbc81c7f3
SHA2564db6ebf44315069be34542f600189b46f88b4ff89b083caa0d0773a1ca6149d3
SHA5125e6b8f5b790928511036df44dab77a0b2f2f87ffb511cf36655079d2ad269d42b592d5c94094c2e20a50f1907825d05381db68e60769d20a842aec102035d4b0
-
Filesize
191B
MD54c7d79bcdf1103f033fbfb930d8de335
SHA14b8db1ae164f72379ccbd564c6ce0aa4a2bee36d
SHA256af33b09c1de4c2091ba732eb6f0bea3dcc37ad99e592915e6b987ce4b694d8e1
SHA5120542d9ff7023aec606681eee66d866351caf0a9d1472467f75729c0fdc11ca99cd58a96f1cc9cdd7456d1fa098eb1de04f77b8c443ba0e5c65508a875cb84bf9
-
Filesize
191B
MD569743dd4e5951017ad2d6dca543ac81a
SHA1ea42f3a54d87c1a9157b48720325751b791709ec
SHA256dd2ead4ef2ce96922b0e9d86e9e2a324e10de75b8ffe057b7e3e9af7b6436a69
SHA512a85c70d5ddc079517d233c8d28d26369a26d3da297d4fdcb74deecec776242ee098de1805b0ca45f00eea870f08cf8f8168041b99e39cabc9d397a16812a3662
-
Filesize
191B
MD532ab75006486a9d58018e1ba60e4df75
SHA16c26df013e60b5c4b0ea7e6c8e58e73209a6bc6b
SHA2567ed1cd06250d43f141002a34e22fff87b8e126acc1c2229d683af77e8f26e75e
SHA512329a459f1ff07e0c68e0a2d5ffad8fde1c99bd02551f4eb933f4a6f76df02cf519755bdaf1fcc7705f509cd86c667d3af229d6374fc584101c5ef12cbd0d09c7
-
Filesize
191B
MD5a455425660b1663898004aefdbd12dde
SHA1f6f8d9fa954603c9a8c2cb7e15852a632a95d3de
SHA256010b784e1bfb01264c884ea7707cfc00f1db4b2de0807a1b2926bf479bcae3ae
SHA5122717570b382d0851c7daf265a0339696de93814a2173e27969bbe75f5e6ebe15aeb9ca34edca7a7df64707c0eb980d32ef1c3ac9999f97a75b39dd70105a04e4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
191B
MD5dada77dd59bdca6f3ec6f3df009b2c28
SHA11d70495fe9b7524f76af0cd711afcf3f834a1594
SHA2567e5a609a4e0d3c5e0d8af0dd2d7b791750be703d00bfa09416debab987c903ad
SHA5121b490046d26dc1874130cc81e5aee2a9b6de036d88b995a0e702ac0a88f712327256fe53c1d4a337d241b13aa7c66049609ec1508183610389b51820c4a6f1cd
-
Filesize
191B
MD59e48b9a099d261ffe1e928af42c25a64
SHA1c1273951731f051cd9b91e3c79896549d7b1fa4a
SHA256494e6646d8cd186ce5b6d1168dfc349d77daef5ec9125916322d56b2736b25eb
SHA512e1fd1121baa10df5213c7d522f1c3eef851a66b294a3f8c5436743cefba202e208a7cccf57f85d95eb15d3b94bba61b019c116fe3de19d8940762653140d1da2
-
Filesize
191B
MD5c258118c0874da12d4a71b976d4eee6b
SHA1780f802755c988205ed7bdf1b08f8a519d3a0471
SHA2567ca674e63ebe3bf305c9e7d9e3e73fb6a35eba4ec1fbe550dea9f065e3900974
SHA5126149f27f6162cc01be73bd0e7a361907727115f43cbb2e42502ab227f4c0a4f1e656bb8a4e6b4c4c074a027d9026fae43cc6b5b86e9b817a63d21523d2ebde1a
-
Filesize
191B
MD51c8ed158721bb7792bf14501f0e03cab
SHA13b3e9b5615bb88f4da7f7b1c4e0d8488c55c8163
SHA2566903aaa65fc1456717deeaa03cadaf4109e9e36eea876fa1ce093cce6913c877
SHA512f6d2d81f543fe6d8d23b7a540dbfd3b92fafe6cb21369a527bd23b5e4fd683f9558a5275d2e9a9ecd908a2c75defe60d838ba52e06c8a13fe27b73623f79f975
-
Filesize
191B
MD58d5eb33e4c836015e09ebf4caa348d79
SHA14834669788a495a7dd589947ace378ef3df675da
SHA2566f2fb9641feb86841c97ee31c570e540619aefaeca927b5207a75346db5a0752
SHA5129055d228285034e071e59f7f876e3438e9ade5f7646b090b87316b400777c92d84095297e3a639979c7767dfa6815670b0bf9157349c98e968ab67ea3ab94be4
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478