Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 19:01
Behavioral task
behavioral1
Sample
JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe
-
Size
1.3MB
-
MD5
ed531ca4591367805def6b98dd6d3e95
-
SHA1
c854da71a1f5d77c00188e84b2bacb5245d3a11e
-
SHA256
bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389
-
SHA512
4b718fcf912211419418ede8aedd03fc5ea8a2118141dfc92d96c28096d013faf0f809888af25c1ef204cb6f44b06ca449ff10febe41078e5c3e2ad1605dd534
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4748 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 64 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3764 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4196 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4368 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4904 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 720 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3548 1756 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 1756 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x000a000000023b91-10.dat dcrat behavioral2/memory/2060-13-0x0000000000DE0000-0x0000000000EF0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3096 powershell.exe 5012 powershell.exe 1680 powershell.exe 1900 powershell.exe 3556 powershell.exe 4408 powershell.exe 2040 powershell.exe 5016 powershell.exe 4164 powershell.exe 2356 powershell.exe 836 powershell.exe 2336 powershell.exe 4276 powershell.exe 5108 powershell.exe 4936 powershell.exe 2324 powershell.exe 3200 powershell.exe 3224 powershell.exe 1740 powershell.exe 1268 powershell.exe 4620 powershell.exe 684 powershell.exe 3408 powershell.exe 2600 powershell.exe 4820 powershell.exe 3300 powershell.exe 3376 powershell.exe 4760 powershell.exe -
Checks computer location settings 2 TTPs 18 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation spoolsv.exe -
Executes dropped EXE 17 IoCs
pid Process 2060 DllCommonsvc.exe 2672 DllCommonsvc.exe 2560 spoolsv.exe 3740 spoolsv.exe 924 spoolsv.exe 1152 spoolsv.exe 4572 spoolsv.exe 2612 spoolsv.exe 1536 spoolsv.exe 2900 spoolsv.exe 3584 spoolsv.exe 1008 spoolsv.exe 3572 spoolsv.exe 2992 spoolsv.exe 408 spoolsv.exe 5024 spoolsv.exe 4760 spoolsv.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
flow ioc 37 raw.githubusercontent.com 40 raw.githubusercontent.com 45 raw.githubusercontent.com 43 raw.githubusercontent.com 56 raw.githubusercontent.com 57 raw.githubusercontent.com 21 raw.githubusercontent.com 22 raw.githubusercontent.com 38 raw.githubusercontent.com 55 raw.githubusercontent.com 58 raw.githubusercontent.com 59 raw.githubusercontent.com 60 raw.githubusercontent.com 39 raw.githubusercontent.com 46 raw.githubusercontent.com 48 raw.githubusercontent.com -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files\Windows Multimedia Platform\55b276f4edf653 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\en-US\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\System.exe DllCommonsvc.exe File created C:\Program Files\WindowsApps\taskhostw.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\unsecapp.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\29c1c3cc0f7685 DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Media\Savanna\dllhost.exe DllCommonsvc.exe File created C:\Windows\Media\Savanna\5940a34987c991 DllCommonsvc.exe File created C:\Windows\en-US\wininit.exe DllCommonsvc.exe File created C:\Windows\en-US\56085415360792 DllCommonsvc.exe File created C:\Windows\SystemResources\ShellComponents.DragDrop\pris\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\SystemResources\ShellComponents.DragDrop\pris\a76d7bf15d8370 DllCommonsvc.exe File created C:\Windows\rescache\_merged\4245263321\RuntimeBroker.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings spoolsv.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1144 schtasks.exe 4196 schtasks.exe 4440 schtasks.exe 4032 schtasks.exe 3764 schtasks.exe 2952 schtasks.exe 4324 schtasks.exe 2548 schtasks.exe 4484 schtasks.exe 4884 schtasks.exe 4468 schtasks.exe 4728 schtasks.exe 4612 schtasks.exe 1392 schtasks.exe 1676 schtasks.exe 4952 schtasks.exe 2228 schtasks.exe 2192 schtasks.exe 2232 schtasks.exe 2556 schtasks.exe 864 schtasks.exe 2212 schtasks.exe 4568 schtasks.exe 1604 schtasks.exe 1148 schtasks.exe 3160 schtasks.exe 1604 schtasks.exe 764 schtasks.exe 4384 schtasks.exe 4400 schtasks.exe 4072 schtasks.exe 4748 schtasks.exe 3164 schtasks.exe 5024 schtasks.exe 4368 schtasks.exe 4116 schtasks.exe 3548 schtasks.exe 808 schtasks.exe 1780 schtasks.exe 4656 schtasks.exe 4508 schtasks.exe 2096 schtasks.exe 2428 schtasks.exe 3504 schtasks.exe 1624 schtasks.exe 64 schtasks.exe 2196 schtasks.exe 2792 schtasks.exe 4892 schtasks.exe 4488 schtasks.exe 2608 schtasks.exe 1596 schtasks.exe 3228 schtasks.exe 2192 schtasks.exe 5036 schtasks.exe 2616 schtasks.exe 5068 schtasks.exe 4824 schtasks.exe 1808 schtasks.exe 4500 schtasks.exe 1684 schtasks.exe 5080 schtasks.exe 4612 schtasks.exe 4660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 2060 DllCommonsvc.exe 3300 powershell.exe 3300 powershell.exe 4936 powershell.exe 4936 powershell.exe 3556 powershell.exe 3556 powershell.exe 4164 powershell.exe 4164 powershell.exe 3376 powershell.exe 3376 powershell.exe 3224 powershell.exe 3224 powershell.exe 3200 powershell.exe 3200 powershell.exe 4620 powershell.exe 4620 powershell.exe 2324 powershell.exe 2324 powershell.exe 1680 powershell.exe 1680 powershell.exe 4820 powershell.exe 4820 powershell.exe 1740 powershell.exe 1740 powershell.exe 5108 powershell.exe 5108 powershell.exe 4936 powershell.exe 4620 powershell.exe 3300 powershell.exe 1680 powershell.exe 2324 powershell.exe 3556 powershell.exe 4164 powershell.exe 3200 powershell.exe 3376 powershell.exe 5108 powershell.exe 3224 powershell.exe 1740 powershell.exe 4820 powershell.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 2060 DllCommonsvc.exe Token: SeDebugPrivilege 4936 powershell.exe Token: SeDebugPrivilege 4620 powershell.exe Token: SeDebugPrivilege 3300 powershell.exe Token: SeDebugPrivilege 3556 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 3376 powershell.exe Token: SeDebugPrivilege 4164 powershell.exe Token: SeDebugPrivilege 3224 powershell.exe Token: SeDebugPrivilege 3200 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeDebugPrivilege 2672 DllCommonsvc.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeDebugPrivilege 5012 powershell.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 3096 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 5016 powershell.exe Token: SeDebugPrivilege 4408 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 4276 powershell.exe Token: SeDebugPrivilege 684 powershell.exe Token: SeDebugPrivilege 4760 powershell.exe Token: SeDebugPrivilege 2560 spoolsv.exe Token: SeDebugPrivilege 3740 spoolsv.exe Token: SeDebugPrivilege 924 spoolsv.exe Token: SeDebugPrivilege 1152 spoolsv.exe Token: SeDebugPrivilege 4572 spoolsv.exe Token: SeDebugPrivilege 2612 spoolsv.exe Token: SeDebugPrivilege 1536 spoolsv.exe Token: SeDebugPrivilege 2900 spoolsv.exe Token: SeDebugPrivilege 3584 spoolsv.exe Token: SeDebugPrivilege 1008 spoolsv.exe Token: SeDebugPrivilege 3572 spoolsv.exe Token: SeDebugPrivilege 2992 spoolsv.exe Token: SeDebugPrivilege 408 spoolsv.exe Token: SeDebugPrivilege 5024 spoolsv.exe Token: SeDebugPrivilege 4760 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1268 wrote to memory of 4992 1268 JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe 83 PID 1268 wrote to memory of 4992 1268 JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe 83 PID 1268 wrote to memory of 4992 1268 JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe 83 PID 4992 wrote to memory of 4012 4992 WScript.exe 85 PID 4992 wrote to memory of 4012 4992 WScript.exe 85 PID 4992 wrote to memory of 4012 4992 WScript.exe 85 PID 4012 wrote to memory of 2060 4012 cmd.exe 87 PID 4012 wrote to memory of 2060 4012 cmd.exe 87 PID 2060 wrote to memory of 4820 2060 DllCommonsvc.exe 126 PID 2060 wrote to memory of 4820 2060 DllCommonsvc.exe 126 PID 2060 wrote to memory of 4620 2060 DllCommonsvc.exe 127 PID 2060 wrote to memory of 4620 2060 DllCommonsvc.exe 127 PID 2060 wrote to memory of 5108 2060 DllCommonsvc.exe 128 PID 2060 wrote to memory of 5108 2060 DllCommonsvc.exe 128 PID 2060 wrote to memory of 4936 2060 DllCommonsvc.exe 129 PID 2060 wrote to memory of 4936 2060 DllCommonsvc.exe 129 PID 2060 wrote to memory of 2324 2060 DllCommonsvc.exe 130 PID 2060 wrote to memory of 2324 2060 DllCommonsvc.exe 130 PID 2060 wrote to memory of 3300 2060 DllCommonsvc.exe 131 PID 2060 wrote to memory of 3300 2060 DllCommonsvc.exe 131 PID 2060 wrote to memory of 3224 2060 DllCommonsvc.exe 132 PID 2060 wrote to memory of 3224 2060 DllCommonsvc.exe 132 PID 2060 wrote to memory of 3376 2060 DllCommonsvc.exe 133 PID 2060 wrote to memory of 3376 2060 DllCommonsvc.exe 133 PID 2060 wrote to memory of 1740 2060 DllCommonsvc.exe 134 PID 2060 wrote to memory of 1740 2060 DllCommonsvc.exe 134 PID 2060 wrote to memory of 3556 2060 DllCommonsvc.exe 135 PID 2060 wrote to memory of 3556 2060 DllCommonsvc.exe 135 PID 2060 wrote to memory of 3200 2060 DllCommonsvc.exe 136 PID 2060 wrote to memory of 3200 2060 DllCommonsvc.exe 136 PID 2060 wrote to memory of 1680 2060 DllCommonsvc.exe 137 PID 2060 wrote to memory of 1680 2060 DllCommonsvc.exe 137 PID 2060 wrote to memory of 4164 2060 DllCommonsvc.exe 138 PID 2060 wrote to memory of 4164 2060 DllCommonsvc.exe 138 PID 2060 wrote to memory of 1812 2060 DllCommonsvc.exe 151 PID 2060 wrote to memory of 1812 2060 DllCommonsvc.exe 151 PID 1812 wrote to memory of 4644 1812 cmd.exe 154 PID 1812 wrote to memory of 4644 1812 cmd.exe 154 PID 1812 wrote to memory of 2672 1812 cmd.exe 161 PID 1812 wrote to memory of 2672 1812 cmd.exe 161 PID 2672 wrote to memory of 1900 2672 DllCommonsvc.exe 204 PID 2672 wrote to memory of 1900 2672 DllCommonsvc.exe 204 PID 2672 wrote to memory of 2356 2672 DllCommonsvc.exe 205 PID 2672 wrote to memory of 2356 2672 DllCommonsvc.exe 205 PID 2672 wrote to memory of 4760 2672 DllCommonsvc.exe 206 PID 2672 wrote to memory of 4760 2672 DllCommonsvc.exe 206 PID 2672 wrote to memory of 3408 2672 DllCommonsvc.exe 207 PID 2672 wrote to memory of 3408 2672 DllCommonsvc.exe 207 PID 2672 wrote to memory of 836 2672 DllCommonsvc.exe 208 PID 2672 wrote to memory of 836 2672 DllCommonsvc.exe 208 PID 2672 wrote to memory of 4408 2672 DllCommonsvc.exe 209 PID 2672 wrote to memory of 4408 2672 DllCommonsvc.exe 209 PID 2672 wrote to memory of 2040 2672 DllCommonsvc.exe 210 PID 2672 wrote to memory of 2040 2672 DllCommonsvc.exe 210 PID 2672 wrote to memory of 3096 2672 DllCommonsvc.exe 211 PID 2672 wrote to memory of 3096 2672 DllCommonsvc.exe 211 PID 2672 wrote to memory of 5012 2672 DllCommonsvc.exe 212 PID 2672 wrote to memory of 5012 2672 DllCommonsvc.exe 212 PID 2672 wrote to memory of 1268 2672 DllCommonsvc.exe 213 PID 2672 wrote to memory of 1268 2672 DllCommonsvc.exe 213 PID 2672 wrote to memory of 2336 2672 DllCommonsvc.exe 214 PID 2672 wrote to memory of 2336 2672 DllCommonsvc.exe 214 PID 2672 wrote to memory of 4276 2672 DllCommonsvc.exe 215 PID 2672 wrote to memory of 4276 2672 DllCommonsvc.exe 215 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc87c6a24478eb41c11dec572df0caf3f0248fb74c48cd4c9326afd7a9e71389.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\unsecapp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Savanna\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nFSZlC6Oy0.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4644
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\wininit.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\ShellComponents.DragDrop\pris\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UVwmmpoYNR.bat"7⤵PID:1528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:32
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"9⤵PID:4952
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1300
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"11⤵PID:3252
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:4684
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"13⤵PID:432
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:4164
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"15⤵PID:2200
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2216
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"17⤵PID:3972
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1604
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"19⤵PID:5072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1920
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"21⤵PID:2428
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:3724
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"23⤵PID:2912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:4640
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"25⤵PID:1808
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:3536
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat"27⤵PID:2652
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:5100
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"29⤵PID:4484
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:2384
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"31⤵PID:4876
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:3168
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"33⤵PID:1724
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:234⤵PID:1732
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"35⤵PID:2624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:236⤵PID:4220
-
-
C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe"36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\providercommon\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:5016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Savanna\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Media\Savanna\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Savanna\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemResources\ShellComponents.DragDrop\pris\DllCommonsvc.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\SystemResources\ShellComponents.DragDrop\pris\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemResources\ShellComponents.DragDrop\pris\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f1⤵PID:3412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
984B
MD558067b362f0aae6683ff65f497e0a33b
SHA1c7a9630351b495633e9543b80a41af1baec7c3ac
SHA256f9934e6ec78dd9d51e331d838552e683c898f5f9486a2385ceccb7aafa1c0ed4
SHA512f70fdfd153410545c4aecdd0cf69e99eff71059e37c51265a75520dd72a026a00d6f68fec2ca32176d3602895f3b31f7d6b3aa9d3ed1eacafe05d396e8bf2342
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD540fb442f970bccb233a739c0fcdb274c
SHA1026efea8999825b25a7206801ef1d9879a3fd516
SHA256b0639506a0b158d10b17721db15b9ccd1a530acc626c12b3c39eec2e058b371b
SHA5123dcddd1310c9ef6e93412c2ce6fe08b71b97a69b3645c240af2264b14cbf2dc9c5cada5dbd05bd987d3af4d40952337aee43f70db68e3520cc40de9e54b62cbc
-
Filesize
944B
MD5057e7742b25e65a341d1341da25b54a8
SHA165c874ac4f429a4172bdf89a73922e39873ecab6
SHA256f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468
SHA51294b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7
-
Filesize
944B
MD5e59140d6693b6a0f6a8617b45bdef9fe
SHA17157a22b2533d10fe8ed91d2c5782b44c79bbcde
SHA256baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e
SHA512117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7
-
Filesize
944B
MD5150616521d490e160cd33b97d678d206
SHA171594f5b97a4a61fe5f120eb10bcd6b73d7e6e78
SHA25694595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827
SHA5127043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815
-
Filesize
944B
MD56d0c9c571a4975983ba8c545178f820f
SHA1110386d8f4e1b5047cccd39ccdaa5919a731c9ad
SHA2568020b2bb1306914da845e0726e686216af4e03510ce4ae31442f0d2faa320a42
SHA5121ac5fee29f9c2dd8e89dae8302b4133dd92846d792d392f16d7b23f6cab03c83b5911c8786eceb7383e6c6ce14dc443e96920943245704344de6b2f42f9ab890
-
Filesize
944B
MD5c65338524586fc00cf00e679a7d4a1f4
SHA162abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae
SHA256faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6
SHA512c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310
-
Filesize
227B
MD553505d0f0e0576bb7969128b5d5e9d01
SHA16f17231ea573ab64bd8aacf021aa54c9d532edc5
SHA25647e3141b25bf282dcafbe2299883a420897250bdf758f2d2de9e725d6edca5c9
SHA512315fe2f4b20b53f5a468845e0b98ebf0f19e5bc71eb273415b1af8fbd10d1608eecd2b0d884719c59bde88128b6b7dba8a51b5679c97f5fe0f37270f2084c014
-
Filesize
227B
MD5453f46e82d1edb0e2a7177b99c5aa0f8
SHA105bbf695a0606d90fa5801b30ea6e499020cc112
SHA256106b472af167bfc8218abdda38f7d712a9d64ed1318fca424de0d38dcb904108
SHA512ff9e81d3b9ca170c2152767f67bce61440ca452d736f2ef03352c2fdd3a66c2372a7ba502e39f7527ed6c8b9b22957ca642794601551f6626e8aa253846e9439
-
Filesize
227B
MD5a9b1b534409ae700ed6ee497ccfccc6b
SHA1471aaa6e2ae2c6303efc5be2d5379f0b6c8ab812
SHA256dbb53fefdcdeb7cc03211cfce9e2cf56519fcc4b06ce09be0c9418fcd40dfe03
SHA512bcd11502c599125242cfb1580a45dce6354152a01b12cd3a2cbd19e1e86b56c51044782c8ae99072756ee4240c8bb5a9d8b5ce66bf1aaf47e266d66eaa5a2ec7
-
Filesize
227B
MD5126af18d00b3de20639d3e2f72156831
SHA17e78f60667ff00b63098ca4842e87fc2b8fe1e8e
SHA2564c41c7ba8a2029606723ae2d37e3f93ed9bf28e55388cf7bf3e01a6737663601
SHA512dbb2c90ff950228defd8b7f4c497fd5cde72a3de34a75545069e0f4d076a211e87eaef186338e11dd9416f3bdfa9c12b552d4a5b54f796de09ae5a11e1c415bb
-
Filesize
227B
MD5efa67e1ab7508402e913b22eaa0c1aa4
SHA1ffd733d8383565c4bdd4a8dcff12a04f6ba03280
SHA25682910ccb79eddc2bd9c41efce5b9a2db437140005d2aa048443654e4be87e64f
SHA5128ba91df8f4fe5e94ec64950a1fa55d1c7528aafaea3fceba733ef90055ea4fdb2eb558f21b7855c2d750f56cd951b2afb06ba0446d4ca5336d6fe248e845df25
-
Filesize
227B
MD5129b61384ce3ac12c2c2f603711da8cf
SHA1a9257614bc28ad0db5e2c37edd59584800118eb4
SHA25666a1d04c44e95093044e3addef2414908a581c1775c52c92a4f9361e67ad2702
SHA5125ab87d11747c3a475a2d9c97bb9dbcd5e451649f75796a9b80c6d345455a3e2a7a323437818f0b519be93b5997c8e0c4d3bc6a09b8eb8d2a1acb1c89ca32648f
-
Filesize
227B
MD55b0d9960889be3f064b1ddfee02a65b1
SHA1f48b57204411d185aa99f7683d7c3e4b3b2e9449
SHA256d814d262d2324377f7657f6caf9de8d498b3c70fce61f9d3f30185c6c3994a7a
SHA51299a8b2094d72f97c41e5c7ef24ab7ee3fc139e84627dbb1c78ef229c92fadef10d0ed381deea1b4ddc71b7eb32d849ec13da2d7551dbdc62af843f52c4359ad1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
227B
MD5f4e9af11cef17f24276968a69f47fc15
SHA18a6a1278eb47d6926f5f844232801ffa5ae78075
SHA256b5cd70deab8c8b211199e4c64916617912486b7e3437227183449d9db5a74f8a
SHA512280936820ce3938331cd5cdb9e4c16bec3abee8b64cc9cd315e0384697ffcea28d9aaaa657c0b9be8ce83c49b7ed2bd6c9c1987206bea6ec8ea5cd8a7a157199
-
Filesize
227B
MD592ebb0a4806acdda29848a255ea838f6
SHA1abd60612c335b0034076b4667b060b281de74a2d
SHA256469fb8df1fffd4196718f62cb0afa77bc94e4bb2f4d27baddc9066334d8562ea
SHA5128af5567d97101c02c53dca342fda90264deb48f44a4bee107082176e5636f09a0a20a1b48d4fff4988c6c90012aadef6fc6655cf6af07e1c0bf147381a1e89b7
-
Filesize
227B
MD546a83e4220aa8dc272b7f1a08eda473d
SHA180313327a9086b57e3f8e99d14c64377145f2275
SHA25621ae47e3443207b0ca7ee9faad8430de846407bbad8702911736252378ad4938
SHA512e6549d997512bdc77c597bc30c48274aade34f8566f2b2801143952d8775a853a612b0cf90cbd513e0d8779ba478d4e0fd6ba6c42d19cc49a74d92bca0415f25
-
Filesize
199B
MD5e4b0ca8d31bb2b1db6dffc79080cffb0
SHA1149513e884429d6494342d2fc771a9a4245943c4
SHA256a6133e8828905d2df64cc299dd675ab275ba2a01b41f86e1b4000b90742359f2
SHA512347962503f73f0b27846c51e88f2cc442ba31a31b55ce702ab4b9e03b50122244eeed71ddef89a6708be6dc4ea2d8da183f030a0ba06d0bdde588ad27a2ede7b
-
Filesize
227B
MD5588d03f3f8b1a202a189ab2cf38cdb2b
SHA10c7b5ca3d566e5209b76418d01b8b1981ca653ea
SHA2568fbfc06e1c485402ca7b10761d0f9225feed8c39e8be029bf57b677981446d23
SHA5124d5c687c4d2877592c60f31e7edcca106b6e3a7eccee10c0f0d8b8f2a208824df0e6e22fbcfcfac1547698e784f4275da7e317c175c6755eaa86cace133ecc41
-
Filesize
227B
MD5ce3567191214981be53574a88b9a2f99
SHA179e3dbd88aa0dfd00168916ad1c207d07f9f063a
SHA2563f55758431a1abfe032e585b73100801b7a022dac2e2e42272915aae2e796f2d
SHA5127de75bfd8aeb04aa816d8df9f455a7988124245fc18072d12233a93353452ffc55f5cea99ecb3a2758523521bbfbf47ac8e48a9bc28225c35d64bfb5db71fb18
-
Filesize
227B
MD54d393ea41d753a6a59cbbf4bf443814b
SHA101a0476ed45d632b7bfc0641fedc0c5eacd03fa7
SHA256b94833fb17d6b1f50d687fd14436fb672455a7813a9d78c3ae24568dfeb7a369
SHA51289c304868bebeddc710603e444cb211ec42a38e3c8f1b6e49c33f634ca24b3f167d39a633d5737126842f1a8c4c3fae8104e069ccb21b1ce0f25f2f6fdd1dd5e
-
Filesize
227B
MD57aaf405fdee1afdffe9b22d17a60df68
SHA188f21f2472a4ea12ea597fc45b4ee55f82d25d14
SHA2565fd16778aa0d2bbb1ae3f584f38fdbd57397b7c245503d7e705b724ad1aacdc4
SHA51281b163895f80696e0e30eea5ceb71d3e15f5cf48570f38f7f6efd509fe237d715e78909a1ceb70caaf8626eb1e841bddf857b563f967261400ea88c1937b637c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478