Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 18:48
Behavioral task
behavioral1
Sample
JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe
-
Size
1.3MB
-
MD5
cbde1ed5235d32fcab680dc8016f11a0
-
SHA1
fa4eff8f5657b0e1fbe9ba397003b6867483d0f0
-
SHA256
9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f
-
SHA512
2d0018663c97093032564ab8d7ab3d49335901943d04287247d2dcd9a5afca3a055581daf295f8f128cf966964b06ef32113421837968db3cf381e7f54773fe9
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3512 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4124 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 736 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3908 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3608 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 1948 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 1948 schtasks.exe 87 -
resource yara_rule behavioral2/files/0x000a000000023b85-10.dat dcrat behavioral2/memory/1996-13-0x0000000000420000-0x0000000000530000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3156 powershell.exe 940 powershell.exe 3160 powershell.exe 3704 powershell.exe 4764 powershell.exe 1232 powershell.exe 3636 powershell.exe 3168 powershell.exe 2924 powershell.exe 1040 powershell.exe 2636 powershell.exe 3244 powershell.exe 2576 powershell.exe 2692 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation conhost.exe -
Executes dropped EXE 12 IoCs
pid Process 1996 DllCommonsvc.exe 4544 conhost.exe 5088 conhost.exe 4124 conhost.exe 2492 conhost.exe 3240 conhost.exe 2504 conhost.exe 4544 conhost.exe 1688 conhost.exe 3084 conhost.exe 732 conhost.exe 4576 conhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 41 raw.githubusercontent.com 53 raw.githubusercontent.com 57 raw.githubusercontent.com 17 raw.githubusercontent.com 37 raw.githubusercontent.com 38 raw.githubusercontent.com 46 raw.githubusercontent.com 51 raw.githubusercontent.com 52 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 43 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Windows Photo Viewer\38384e6a620884 DllCommonsvc.exe File created C:\Program Files\Common Files\DESIGNER\SppExtComObj.exe DllCommonsvc.exe File created C:\Program Files\Common Files\DESIGNER\e1ef82546f0b02 DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\SearchApp.exe DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\es-ES\cmd.exe DllCommonsvc.exe File created C:\Windows\es-ES\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\RemotePackages\lsass.exe DllCommonsvc.exe File created C:\Windows\RemotePackages\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\TAPI\spoolsv.exe DllCommonsvc.exe File created C:\Windows\TAPI\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings conhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4760 schtasks.exe 1868 schtasks.exe 4400 schtasks.exe 4548 schtasks.exe 4372 schtasks.exe 956 schtasks.exe 4944 schtasks.exe 1228 schtasks.exe 4552 schtasks.exe 2012 schtasks.exe 1128 schtasks.exe 448 schtasks.exe 3608 schtasks.exe 4360 schtasks.exe 2024 schtasks.exe 4984 schtasks.exe 4968 schtasks.exe 5024 schtasks.exe 4068 schtasks.exe 1612 schtasks.exe 756 schtasks.exe 2948 schtasks.exe 5072 schtasks.exe 4124 schtasks.exe 544 schtasks.exe 1952 schtasks.exe 1420 schtasks.exe 1004 schtasks.exe 4496 schtasks.exe 1208 schtasks.exe 3972 schtasks.exe 736 schtasks.exe 3908 schtasks.exe 4924 schtasks.exe 856 schtasks.exe 1588 schtasks.exe 3512 schtasks.exe 2304 schtasks.exe 2556 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 4764 powershell.exe 4764 powershell.exe 3160 powershell.exe 3160 powershell.exe 3704 powershell.exe 3704 powershell.exe 3244 powershell.exe 3244 powershell.exe 3168 powershell.exe 3168 powershell.exe 2636 powershell.exe 2636 powershell.exe 1232 powershell.exe 1232 powershell.exe 3636 powershell.exe 3636 powershell.exe 2924 powershell.exe 2924 powershell.exe 2576 powershell.exe 1040 powershell.exe 2576 powershell.exe 1040 powershell.exe 3160 powershell.exe 2692 powershell.exe 2692 powershell.exe 940 powershell.exe 940 powershell.exe 4764 powershell.exe 3156 powershell.exe 3156 powershell.exe 4544 conhost.exe 4544 conhost.exe 1040 powershell.exe 3704 powershell.exe 3244 powershell.exe 940 powershell.exe 2636 powershell.exe 3636 powershell.exe 2692 powershell.exe 3168 powershell.exe 2924 powershell.exe 2576 powershell.exe 1232 powershell.exe 3156 powershell.exe 5088 conhost.exe 4124 conhost.exe 2492 conhost.exe 3240 conhost.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 1996 DllCommonsvc.exe Token: SeDebugPrivilege 4764 powershell.exe Token: SeDebugPrivilege 3160 powershell.exe Token: SeDebugPrivilege 3704 powershell.exe Token: SeDebugPrivilege 3244 powershell.exe Token: SeDebugPrivilege 3168 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 1232 powershell.exe Token: SeDebugPrivilege 3636 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 4544 conhost.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 3156 powershell.exe Token: SeDebugPrivilege 5088 conhost.exe Token: SeDebugPrivilege 4124 conhost.exe Token: SeDebugPrivilege 2492 conhost.exe Token: SeDebugPrivilege 3240 conhost.exe Token: SeDebugPrivilege 2504 conhost.exe Token: SeDebugPrivilege 4544 conhost.exe Token: SeDebugPrivilege 1688 conhost.exe Token: SeDebugPrivilege 3084 conhost.exe Token: SeDebugPrivilege 732 conhost.exe Token: SeDebugPrivilege 4576 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4712 wrote to memory of 3328 4712 JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe 83 PID 4712 wrote to memory of 3328 4712 JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe 83 PID 4712 wrote to memory of 3328 4712 JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe 83 PID 3328 wrote to memory of 912 3328 WScript.exe 84 PID 3328 wrote to memory of 912 3328 WScript.exe 84 PID 3328 wrote to memory of 912 3328 WScript.exe 84 PID 912 wrote to memory of 1996 912 cmd.exe 86 PID 912 wrote to memory of 1996 912 cmd.exe 86 PID 1996 wrote to memory of 3636 1996 DllCommonsvc.exe 127 PID 1996 wrote to memory of 3636 1996 DllCommonsvc.exe 127 PID 1996 wrote to memory of 3704 1996 DllCommonsvc.exe 128 PID 1996 wrote to memory of 3704 1996 DllCommonsvc.exe 128 PID 1996 wrote to memory of 3168 1996 DllCommonsvc.exe 129 PID 1996 wrote to memory of 3168 1996 DllCommonsvc.exe 129 PID 1996 wrote to memory of 3156 1996 DllCommonsvc.exe 130 PID 1996 wrote to memory of 3156 1996 DllCommonsvc.exe 130 PID 1996 wrote to memory of 2636 1996 DllCommonsvc.exe 131 PID 1996 wrote to memory of 2636 1996 DllCommonsvc.exe 131 PID 1996 wrote to memory of 4764 1996 DllCommonsvc.exe 132 PID 1996 wrote to memory of 4764 1996 DllCommonsvc.exe 132 PID 1996 wrote to memory of 940 1996 DllCommonsvc.exe 133 PID 1996 wrote to memory of 940 1996 DllCommonsvc.exe 133 PID 1996 wrote to memory of 3244 1996 DllCommonsvc.exe 134 PID 1996 wrote to memory of 3244 1996 DllCommonsvc.exe 134 PID 1996 wrote to memory of 3160 1996 DllCommonsvc.exe 135 PID 1996 wrote to memory of 3160 1996 DllCommonsvc.exe 135 PID 1996 wrote to memory of 2576 1996 DllCommonsvc.exe 136 PID 1996 wrote to memory of 2576 1996 DllCommonsvc.exe 136 PID 1996 wrote to memory of 2924 1996 DllCommonsvc.exe 137 PID 1996 wrote to memory of 2924 1996 DllCommonsvc.exe 137 PID 1996 wrote to memory of 2692 1996 DllCommonsvc.exe 138 PID 1996 wrote to memory of 2692 1996 DllCommonsvc.exe 138 PID 1996 wrote to memory of 1232 1996 DllCommonsvc.exe 139 PID 1996 wrote to memory of 1232 1996 DllCommonsvc.exe 139 PID 1996 wrote to memory of 1040 1996 DllCommonsvc.exe 140 PID 1996 wrote to memory of 1040 1996 DllCommonsvc.exe 140 PID 1996 wrote to memory of 4544 1996 DllCommonsvc.exe 154 PID 1996 wrote to memory of 4544 1996 DllCommonsvc.exe 154 PID 4544 wrote to memory of 3208 4544 conhost.exe 160 PID 4544 wrote to memory of 3208 4544 conhost.exe 160 PID 3208 wrote to memory of 3708 3208 cmd.exe 162 PID 3208 wrote to memory of 3708 3208 cmd.exe 162 PID 3208 wrote to memory of 5088 3208 cmd.exe 165 PID 3208 wrote to memory of 5088 3208 cmd.exe 165 PID 5088 wrote to memory of 2072 5088 conhost.exe 167 PID 5088 wrote to memory of 2072 5088 conhost.exe 167 PID 2072 wrote to memory of 1192 2072 cmd.exe 169 PID 2072 wrote to memory of 1192 2072 cmd.exe 169 PID 2072 wrote to memory of 4124 2072 cmd.exe 170 PID 2072 wrote to memory of 4124 2072 cmd.exe 170 PID 4124 wrote to memory of 4100 4124 conhost.exe 172 PID 4124 wrote to memory of 4100 4124 conhost.exe 172 PID 4100 wrote to memory of 940 4100 cmd.exe 174 PID 4100 wrote to memory of 940 4100 cmd.exe 174 PID 4100 wrote to memory of 2492 4100 cmd.exe 175 PID 4100 wrote to memory of 2492 4100 cmd.exe 175 PID 2492 wrote to memory of 1976 2492 conhost.exe 176 PID 2492 wrote to memory of 1976 2492 conhost.exe 176 PID 1976 wrote to memory of 2692 1976 cmd.exe 178 PID 1976 wrote to memory of 2692 1976 cmd.exe 178 PID 1976 wrote to memory of 3240 1976 cmd.exe 179 PID 1976 wrote to memory of 3240 1976 cmd.exe 179 PID 3240 wrote to memory of 3484 3240 conhost.exe 180 PID 3240 wrote to memory of 3484 3240 conhost.exe 180 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:912 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3708
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1192
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:940
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2692
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"14⤵PID:3484
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3556
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"16⤵PID:3688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:3444
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat"18⤵PID:4764
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:4892
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"20⤵PID:4876
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:3712
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"22⤵PID:4280
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:800
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat"24⤵PID:2724
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:4548
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat"26⤵PID:4996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\DESIGNER\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\RemotePackages\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\providercommon\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
Filesize
194B
MD5ec91437bf6956486478bfc96bb46d43c
SHA115664d8af51c21fb6d2901494f1b9b5ed2e28824
SHA256ddba01789ccffbf642faea08f9102bbc0a7d7048e04941aba6cd1f8be9bd5469
SHA512092d6cccc40c6fa323bdb46959b8524d703cb941f2e08761d4650b95514d195a42507049e180b0858663fce33f3a2ee3398a8572bf0ece2852c4c31e86bdc2ab
-
Filesize
194B
MD5501726ca7bb08dbd709480eb1106c8db
SHA17e4b5c2b871384a5f94bb7d3faf3cf013a81abb1
SHA2569b7c7ec7a29285d17502f487030599880297c3b19caf950c8969832b4f2b05e2
SHA512a89ce8c81d34c20729b76581f7cbee9232a9ec551ba3fa6b5d0594f68a588c197c8febb4fce5b2f11c1075bbcff26049eb8d4b3105b889b6ba09b8dee0ea38eb
-
Filesize
194B
MD54ab7d4632abeb0b50605a88a2e4c72ac
SHA1eff68645846c64823c04c080870b61ada6f66152
SHA256bb2c93c50314b83de7ed42ef3fc8e7e59e105e15b12359751da4d52ab9af37fd
SHA5124bab4cf0bed595a85bd5ca29f7251d9b4617647ba4b936803b89f2399ee09c03f92e60c205333c7d3c9be2da5fa747213e9e16ecda9550b560e0f8c29f2c8ecc
-
Filesize
194B
MD50ec08ed239a3b6e0115903ff2bab1674
SHA193e69b9d5e5855811ccf97eb51bdeffa15b93489
SHA25690460f8936f8be8b2e96fbc1cbd47b8b6817362f00576da49856663fcad4f755
SHA5123ccfc82bf7704c769eda75906863f90ebaf1418bf6f3c5020b6385d90906c5052589de3bf50cdda15d4d670572b100e00c9cce92fa454a8b8c101a41cb0ee9c0
-
Filesize
194B
MD50a45a4732a31c9e9bbe501977a2b523e
SHA117c67556d8d920fc1f7f67afddab5937a9722d7a
SHA256c96942468cace763b6948213f3c452c0ed152b2bfaeb6522491fe446b81a656f
SHA5120272d6faa9502042dd6e20eb98ca56c7183906cfecb16d42eadea85da94b109ce41c5b2c0894e5281c838c49b4214e06ba817ebd333dabadb7e551fd440659e1
-
Filesize
194B
MD558a86d34b8b3ef06d524e4580fcbff17
SHA1917cc00224b272a037488318e17ec7d3191e0fe6
SHA2566609e966bd91de8b793cb2af1db7a7dd582f8abf146d5466605f549443b45cb0
SHA5123247e1b3634bc0a29cb4fdcc533779ebe5d63c94c874da689f5751cffd4307e668bb058b58cd9dd92442d938698442ce025738a9db964fd7f1e17e781511f009
-
Filesize
194B
MD50a3537378ee9ff4c2a269791bfca4bad
SHA1c2f86bcc6aaeb34af37ce5afc26c6b00bfe996ed
SHA2567f4a5e42662c5a88debb23242a6d6c64abc3eff77eef2fd4feb3c1bf334ffb89
SHA5129f73b09d49e26e6a39cfc2fb8a5abc63403db88693092625af0e7d36271f36e629d6e90f4f176d7452f2da755e22e1c7a93d1785dcd565f0daefe52b33e25d28
-
Filesize
194B
MD5904b812d1b6f56e685289ff823467cc7
SHA1996a9a283f9a4296b696964e088df21b02fc3f42
SHA2564152d05a91e8769a0a864e3b8c571a706d66a0612552dfd3a9354c2336f5f870
SHA512b0944787a51e9d6d2f69186d55bea8bd31a327d647d6e018242535056e89bdc37402f0edc5cf4c11bbf1e34fa2445752c4fcb26866e329a653da2b330f602e05
-
Filesize
194B
MD57c3aa103d95b0f972ed221a048086c8d
SHA1843a703914f7c79270d8ce1f9cd96d9abcb6d24c
SHA256aad1570084ec38d5408ba524985eb8120e8b45d5864789e1f181873aac3f3048
SHA512eee20c947a05bc4282d4ed7a569dced60a9d6d41706c15fe7b5cd4a0f735524b23a93ebdc958bf20db6b16b2289f9df2572b6601a9352f76158362141b63251c
-
Filesize
194B
MD5b0c965a526939a385194fc5b2cd297ea
SHA17db402220cd47180fd6ab22b2caa13e57fee9dc4
SHA256601a5bf44a69ef2fa54d8de10d44ee9d0484a0b089904867ffe3cf989065f1b0
SHA512af909fddda4eb5eb9d0ad1b681d0278052b4cf599bab4c375342e5e1a8a50d490736078ff870d0f44c2d4a01f67a45b35452f4b21c0c3408ec95b769cac2da74
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
194B
MD501e3ca6977b77e767bf360cbf28bcdcb
SHA1ae442bf08ae764c874f074478505ac2683f80508
SHA256003b157a086f666f776c25c3bc996ec66d49078308e6eb012da1155e482dc1b2
SHA512e39c458391c93e8aa170d6b74091665389b9972784c56556dd2b2ab323fd100bf295b62007153ff850d8aefd4d33504923465c1443ec1815972fd68bbc047a37
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478