Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 20:18
Behavioral task
behavioral1
Sample
JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe
-
Size
1.3MB
-
MD5
5f8aa2c9c933251a7030f4ccd52d9144
-
SHA1
576b128311ebfaefacb64699b0b215a659e0f74a
-
SHA256
c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670
-
SHA512
64a88caac69853524b7604140aaeeeadb93cfcc4e05176bb07f14729a494f8196ea354281da6305c237bc03a06599572fe40c97b629b428d13bc5eb45e115b4b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3784 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3476 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3904 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 452 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3756 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3140 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3556 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3608 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3452 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 3948 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 3948 schtasks.exe 89 -
resource yara_rule behavioral2/files/0x000e000000023bae-10.dat dcrat behavioral2/memory/4280-13-0x0000000000110000-0x0000000000220000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 8 powershell.exe 4776 powershell.exe 220 powershell.exe 4488 powershell.exe 4400 powershell.exe 3920 powershell.exe 4368 powershell.exe 4508 powershell.exe 928 powershell.exe 4404 powershell.exe 4556 powershell.exe 3672 powershell.exe 3564 powershell.exe 4324 powershell.exe 4372 powershell.exe 548 powershell.exe 2032 powershell.exe 2920 powershell.exe 924 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation explorer.exe -
Executes dropped EXE 13 IoCs
pid Process 4280 DllCommonsvc.exe 4192 explorer.exe 3268 explorer.exe 3284 explorer.exe 2764 explorer.exe 6064 explorer.exe 5588 explorer.exe 928 explorer.exe 5640 explorer.exe 2032 explorer.exe 2000 explorer.exe 5324 explorer.exe 2676 explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 40 raw.githubusercontent.com 41 raw.githubusercontent.com 45 raw.githubusercontent.com 46 raw.githubusercontent.com 51 raw.githubusercontent.com 54 raw.githubusercontent.com 23 raw.githubusercontent.com 35 raw.githubusercontent.com 52 raw.githubusercontent.com 53 raw.githubusercontent.com 55 raw.githubusercontent.com 59 raw.githubusercontent.com 24 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Windows Mail\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe DllCommonsvc.exe File created C:\Program Files\Windows Multimedia Platform\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Multimedia Platform\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Windows Mail\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\27d1bcfc3c54e0 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\it-IT\unsecapp.exe DllCommonsvc.exe File created C:\Windows\it-IT\29c1c3cc0f7685 DllCommonsvc.exe File created C:\Windows\Containers\serviced\lsass.exe DllCommonsvc.exe File created C:\Windows\Containers\serviced\6203df4a6bafc7 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3228 schtasks.exe 3556 schtasks.exe 624 schtasks.exe 4496 schtasks.exe 2968 schtasks.exe 1964 schtasks.exe 4944 schtasks.exe 5108 schtasks.exe 2496 schtasks.exe 2832 schtasks.exe 5116 schtasks.exe 4008 schtasks.exe 3012 schtasks.exe 452 schtasks.exe 5080 schtasks.exe 3316 schtasks.exe 1872 schtasks.exe 3140 schtasks.exe 3176 schtasks.exe 4988 schtasks.exe 3064 schtasks.exe 3476 schtasks.exe 3904 schtasks.exe 3756 schtasks.exe 1140 schtasks.exe 2648 schtasks.exe 972 schtasks.exe 1304 schtasks.exe 1228 schtasks.exe 1728 schtasks.exe 3752 schtasks.exe 3736 schtasks.exe 556 schtasks.exe 3156 schtasks.exe 3116 schtasks.exe 1092 schtasks.exe 1080 schtasks.exe 644 schtasks.exe 4796 schtasks.exe 1176 schtasks.exe 2428 schtasks.exe 4656 schtasks.exe 4620 schtasks.exe 5088 schtasks.exe 3940 schtasks.exe 3560 schtasks.exe 820 schtasks.exe 4828 schtasks.exe 3452 schtasks.exe 3784 schtasks.exe 2356 schtasks.exe 3608 schtasks.exe 3252 schtasks.exe 1592 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4280 DllCommonsvc.exe 4280 DllCommonsvc.exe 4280 DllCommonsvc.exe 4280 DllCommonsvc.exe 4280 DllCommonsvc.exe 4280 DllCommonsvc.exe 4280 DllCommonsvc.exe 4280 DllCommonsvc.exe 4280 DllCommonsvc.exe 4280 DllCommonsvc.exe 4280 DllCommonsvc.exe 4368 powershell.exe 4368 powershell.exe 4404 powershell.exe 4404 powershell.exe 4372 powershell.exe 4372 powershell.exe 548 powershell.exe 548 powershell.exe 8 powershell.exe 8 powershell.exe 4324 powershell.exe 4324 powershell.exe 2920 powershell.exe 2920 powershell.exe 4556 powershell.exe 4556 powershell.exe 4508 powershell.exe 4508 powershell.exe 4776 powershell.exe 4776 powershell.exe 4488 powershell.exe 4488 powershell.exe 3920 powershell.exe 3920 powershell.exe 2032 powershell.exe 2032 powershell.exe 4400 powershell.exe 4400 powershell.exe 3672 powershell.exe 3672 powershell.exe 924 powershell.exe 924 powershell.exe 220 powershell.exe 220 powershell.exe 3564 powershell.exe 3564 powershell.exe 4400 powershell.exe 4368 powershell.exe 4368 powershell.exe 4372 powershell.exe 3564 powershell.exe 3920 powershell.exe 4776 powershell.exe 548 powershell.exe 8 powershell.exe 4404 powershell.exe 220 powershell.exe 4508 powershell.exe 4488 powershell.exe 2032 powershell.exe 3672 powershell.exe 2920 powershell.exe 4556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 4280 DllCommonsvc.exe Token: SeDebugPrivilege 4368 powershell.exe Token: SeDebugPrivilege 4776 powershell.exe Token: SeDebugPrivilege 3920 powershell.exe Token: SeDebugPrivilege 4404 powershell.exe Token: SeDebugPrivilege 548 powershell.exe Token: SeDebugPrivilege 4372 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 4556 powershell.exe Token: SeDebugPrivilege 4508 powershell.exe Token: SeDebugPrivilege 220 powershell.exe Token: SeDebugPrivilege 4488 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeDebugPrivilege 4400 powershell.exe Token: SeDebugPrivilege 3672 powershell.exe Token: SeDebugPrivilege 924 powershell.exe Token: SeDebugPrivilege 3564 powershell.exe Token: SeDebugPrivilege 4192 explorer.exe Token: SeDebugPrivilege 3268 explorer.exe Token: SeDebugPrivilege 3284 explorer.exe Token: SeDebugPrivilege 2764 explorer.exe Token: SeDebugPrivilege 6064 explorer.exe Token: SeDebugPrivilege 5588 explorer.exe Token: SeDebugPrivilege 5640 explorer.exe Token: SeDebugPrivilege 2032 explorer.exe Token: SeDebugPrivilege 2000 explorer.exe Token: SeDebugPrivilege 5324 explorer.exe Token: SeDebugPrivilege 2676 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3568 wrote to memory of 2104 3568 JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe 82 PID 3568 wrote to memory of 2104 3568 JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe 82 PID 3568 wrote to memory of 2104 3568 JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe 82 PID 2104 wrote to memory of 1020 2104 WScript.exe 85 PID 2104 wrote to memory of 1020 2104 WScript.exe 85 PID 2104 wrote to memory of 1020 2104 WScript.exe 85 PID 1020 wrote to memory of 4280 1020 cmd.exe 88 PID 1020 wrote to memory of 4280 1020 cmd.exe 88 PID 4280 wrote to memory of 3564 4280 DllCommonsvc.exe 144 PID 4280 wrote to memory of 3564 4280 DllCommonsvc.exe 144 PID 4280 wrote to memory of 4488 4280 DllCommonsvc.exe 145 PID 4280 wrote to memory of 4488 4280 DllCommonsvc.exe 145 PID 4280 wrote to memory of 8 4280 DllCommonsvc.exe 146 PID 4280 wrote to memory of 8 4280 DllCommonsvc.exe 146 PID 4280 wrote to memory of 4508 4280 DllCommonsvc.exe 147 PID 4280 wrote to memory of 4508 4280 DllCommonsvc.exe 147 PID 4280 wrote to memory of 4400 4280 DllCommonsvc.exe 148 PID 4280 wrote to memory of 4400 4280 DllCommonsvc.exe 148 PID 4280 wrote to memory of 4776 4280 DllCommonsvc.exe 149 PID 4280 wrote to memory of 4776 4280 DllCommonsvc.exe 149 PID 4280 wrote to memory of 3920 4280 DllCommonsvc.exe 150 PID 4280 wrote to memory of 3920 4280 DllCommonsvc.exe 150 PID 4280 wrote to memory of 928 4280 DllCommonsvc.exe 151 PID 4280 wrote to memory of 928 4280 DllCommonsvc.exe 151 PID 4280 wrote to memory of 4324 4280 DllCommonsvc.exe 152 PID 4280 wrote to memory of 4324 4280 DllCommonsvc.exe 152 PID 4280 wrote to memory of 4372 4280 DllCommonsvc.exe 153 PID 4280 wrote to memory of 4372 4280 DllCommonsvc.exe 153 PID 4280 wrote to memory of 548 4280 DllCommonsvc.exe 154 PID 4280 wrote to memory of 548 4280 DllCommonsvc.exe 154 PID 4280 wrote to memory of 4368 4280 DllCommonsvc.exe 155 PID 4280 wrote to memory of 4368 4280 DllCommonsvc.exe 155 PID 4280 wrote to memory of 4556 4280 DllCommonsvc.exe 156 PID 4280 wrote to memory of 4556 4280 DllCommonsvc.exe 156 PID 4280 wrote to memory of 3672 4280 DllCommonsvc.exe 158 PID 4280 wrote to memory of 3672 4280 DllCommonsvc.exe 158 PID 4280 wrote to memory of 220 4280 DllCommonsvc.exe 159 PID 4280 wrote to memory of 220 4280 DllCommonsvc.exe 159 PID 4280 wrote to memory of 4404 4280 DllCommonsvc.exe 161 PID 4280 wrote to memory of 4404 4280 DllCommonsvc.exe 161 PID 4280 wrote to memory of 924 4280 DllCommonsvc.exe 162 PID 4280 wrote to memory of 924 4280 DllCommonsvc.exe 162 PID 4280 wrote to memory of 2920 4280 DllCommonsvc.exe 163 PID 4280 wrote to memory of 2920 4280 DllCommonsvc.exe 163 PID 4280 wrote to memory of 2032 4280 DllCommonsvc.exe 164 PID 4280 wrote to memory of 2032 4280 DllCommonsvc.exe 164 PID 4280 wrote to memory of 1244 4280 DllCommonsvc.exe 182 PID 4280 wrote to memory of 1244 4280 DllCommonsvc.exe 182 PID 1244 wrote to memory of 5444 1244 cmd.exe 184 PID 1244 wrote to memory of 5444 1244 cmd.exe 184 PID 1244 wrote to memory of 4192 1244 cmd.exe 188 PID 1244 wrote to memory of 4192 1244 cmd.exe 188 PID 4192 wrote to memory of 3932 4192 explorer.exe 189 PID 4192 wrote to memory of 3932 4192 explorer.exe 189 PID 3932 wrote to memory of 1020 3932 cmd.exe 191 PID 3932 wrote to memory of 1020 3932 cmd.exe 191 PID 3932 wrote to memory of 3268 3932 cmd.exe 192 PID 3932 wrote to memory of 3268 3932 cmd.exe 192 PID 3268 wrote to memory of 4188 3268 explorer.exe 194 PID 3268 wrote to memory of 4188 3268 explorer.exe 194 PID 4188 wrote to memory of 3324 4188 cmd.exe 196 PID 4188 wrote to memory of 3324 4188 cmd.exe 196 PID 4188 wrote to memory of 3284 4188 cmd.exe 198 PID 4188 wrote to memory of 3284 4188 cmd.exe 198 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\unsecapp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tgTzSIT1cQ.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:5444
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1020
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:3324
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat"11⤵PID:5848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2356
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat"13⤵PID:3116
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:3892
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat"15⤵PID:2360
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3840
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"17⤵PID:4748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:5580
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"19⤵PID:2416
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1140
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"21⤵PID:1988
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:4908
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat"23⤵PID:2348
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1776
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"25⤵PID:3084
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:4540
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"27⤵PID:4848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4544
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat"29⤵PID:3708
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:1964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\it-IT\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\providercommon\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Containers\serviced\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Containers\serviced\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
195B
MD5c81ef3593c5f1c88d4cb65918868c688
SHA1e0ca0380ade097f8c3e8b8e5949892d7027ca0b4
SHA2568446d42197f2fba7b27955825696a75c8a0abd01d1bd540f4e5c5a2c7e9d7270
SHA5121a8e3e56d15723f24dcf92ebe79328752e975ecdc9e65cd5cb093d462f9a31ee21ebfd56a31c1b5e1c379be0e73a8ba8466cda32815a363c4c5f7e886399dfbb
-
Filesize
195B
MD5cb0afc8693c643b9a27d1e885fd563b8
SHA1b24ecf50f7d625b32e8bc22dc244f32a99809d89
SHA256a1d4624d3be0fe5653edafcd89ce6c924adc4ecdde78a1d3ebf9f618cff5e122
SHA5127271b5c54a50d3d931faa23eca823c3813fe40173f78c1f8150d030ec82bad1878596385229fb8e8f4d5c2fcd0a33d25e61292068a8dceff59819de45658f715
-
Filesize
195B
MD5d69a5f4571a69634620d5c205d1561e8
SHA120311ff9160d592b135740b6a2157cd034d754cc
SHA25654ff1f1ae018be9a9e9f2be791647ea2e8b8b0a02cb8c2728ea9c43714be5597
SHA512d4cdc6826e7fb145c6b6f5399ffae99e12d04ffab729e228a62d650b6c65f7f3ffe09bfb78ec19d061c65a0fc14ea94cdfb5e503482d2a790e7eadc730789fd5
-
Filesize
195B
MD51bf49181f8ee449d38b79d0172d99728
SHA1a01fe80d32ef38d483e43fc51797d286742f40ba
SHA2566f1e041ba2ab74b547b9a2482a4fc8b1163dcd8837c02f9207bf9a717b314e03
SHA512f9c382b3b0088881b87316242b2ddff2238466d6c355327b0f85b80f7722f37307bc0aa26cec509f2c2ad196938b0f0ea6f4d6bd08d871e05d3849492742da4b
-
Filesize
195B
MD592a4a10a407bd65ba22620bd5dbefaae
SHA162db79988063c4a87d425ee72171062dec4c891d
SHA256975e41a43f76d9bf890ab44a4efc1dfca84f4e3e3a58ceec435e4b3f73f15b4b
SHA512a3dd00f352f65f15d435988b1db4dbae7a40b708e747d2ede58be97d206e4b05daa36e9a48cfae645adecec01683e2dd5c72e6818e66d69c4781604ae201ec10
-
Filesize
195B
MD519c0f6914d22bf6a979370030a6e33fe
SHA1d3849254e24c59d01f3eb5050ad132a03abe5d07
SHA2561281a3d8cda689b892b11267b3624583ff054664bb2e656924572ace3f67aeb1
SHA51269bd56841b69edbbbc3f571e9ec09b7cce523a914808416b70bcaace51b8d8f6c74395efd627170ed55eb4a652c95367c9e3609eee3f39c8b0d514c548ecbfd9
-
Filesize
195B
MD5e193991959fd2fd13beb42ed15593839
SHA1266541faa583e4033473669933ca7f729b54de0e
SHA256d7ab696d94050070e26d76ffd9dc807222cb342ae2062c8d8517408147c403cd
SHA512646700035f503e946bd77c9606a124721cca08495a579f03312ee7784192d206840303185d99c191d51dbed028e845dc1264a807ee2d3ef73935560cd0ccdb53
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
195B
MD585a721f7a9c25a5c9f77ec8d2eed8096
SHA15743748a32841cf44287166ab403d86b88f69138
SHA256a02e941e4bbbe27fb62f1a7d12fa02c728c437fee3843c876fef239df847c148
SHA512b0506e54e03f0ca7d943b5fdea31a7fc4d286cb1e7382c43bedb4be7c183aeef2e6ca42d1fbe00975e7e30427617c356559ff8b347f41aab88fc2c6915507c1c
-
Filesize
195B
MD500ed425360f4546853cb2a8c73ce2393
SHA1d37351d8a8560ca8d9b16ce6bbfaef747071fa05
SHA25600a62c999c5999c519d0f6fd8e1fb9d1f95c60aed22fe034ad044cf7cd9e5d0c
SHA5126650b132f654bf4218fd7fe867c782ff9c78ee97a84cde857c33a33a22ce7a9232ee5400081a4a526f35b3e999c1def1069bf854cd09579fd344755d800cff3f
-
Filesize
195B
MD5dd79b9d2efde9fc6f4708929328355ae
SHA11bef8b16fa31bc088eeadc07fd838f1da23e0f86
SHA256caa0e0f6b19591a91e2a938980415d5f89c39ecd35e691c9a866ab0332f94a71
SHA5124ec0026fb0d8e9649e64149c1e49c9d63f1a63a82fd43ecd0271a7c1d70ef05540d614abbf5001af7c0917bf4afa745c4a7f930025d33750b0a846a698f064d7
-
Filesize
195B
MD567580b05c302c4b4559fe56f6ebb1d0b
SHA151b6f46fcaed8eb81362fbf9921f8f57bf88fad4
SHA25685679c946d689024253bd1c1793481daff2d1293599a8dc30d8065f698a46970
SHA512f733e45d21085b3b0525353975c05e67c0ab94395e622848a33c84b42e6f604d626e048012bdf4fc1626ac317469cec075b63ac815d06af37d7ab3e72a5e118d
-
Filesize
195B
MD5651d4e3813d4f3dbf4cc03deb8f2171c
SHA169565308519cc6a46792b8be047901f7c17e015d
SHA2568497548cc6e1ae8ef0674d2b472570d36e25630e885c91ff95e87ebb74f0467f
SHA5129bcca60660c264c4e7840e36a2a9c96b6c7e8406cb0417dc31c741fe382af0bc867a3ac090795784c9da7e2d1d52262940ffb72bb93862794577b393e060288a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478