Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 19:41
Behavioral task
behavioral1
Sample
JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe
-
Size
1.3MB
-
MD5
646cd1f42241609de75b80e3c53f7221
-
SHA1
b3cb0329c945c1ec12f5dc08f5ada9b721963a97
-
SHA256
bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612
-
SHA512
9c62c222fba506bf84d0f432901864b101f639695be833559426de4e0c329e549ae295aa9d02a41d9ce593b43f437445832be458eeb9da4fa800a418d3cd9bae
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3804 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3280 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4308 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 180 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3088 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3124 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3260 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3200 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4948 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3800 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3140 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3828 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3392 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 448 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 448 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0007000000023cb2-10.dat dcrat behavioral2/memory/2356-13-0x0000000000D80000-0x0000000000E90000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3192 powershell.exe 912 powershell.exe 2940 powershell.exe 2324 powershell.exe 2816 powershell.exe 2664 powershell.exe 5112 powershell.exe 4576 powershell.exe 4772 powershell.exe 2696 powershell.exe 2104 powershell.exe 1680 powershell.exe 2488 powershell.exe 1900 powershell.exe 2012 powershell.exe 3272 powershell.exe 3324 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wininit.exe -
Executes dropped EXE 14 IoCs
pid Process 2356 DllCommonsvc.exe 3784 wininit.exe 2232 wininit.exe 5072 wininit.exe 4488 wininit.exe 2344 wininit.exe 3124 wininit.exe 4864 wininit.exe 1864 wininit.exe 3800 wininit.exe 5064 wininit.exe 2352 wininit.exe 2152 wininit.exe 3388 wininit.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 43 raw.githubusercontent.com 44 raw.githubusercontent.com 52 raw.githubusercontent.com 53 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com 38 raw.githubusercontent.com 39 raw.githubusercontent.com 54 raw.githubusercontent.com 55 raw.githubusercontent.com 16 raw.githubusercontent.com 36 raw.githubusercontent.com 51 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\22eafd247d37c3 DllCommonsvc.exe File created C:\Program Files\ModifiableWindowsApps\csrss.exe DllCommonsvc.exe File created C:\Program Files\ModifiableWindowsApps\sysmon.exe DllCommonsvc.exe File created C:\Program Files\Windows Security\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows Security\56085415360792 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\GameBarPresenceWriter\dllhost.exe DllCommonsvc.exe File created C:\Windows\GameBarPresenceWriter\5940a34987c991 DllCommonsvc.exe File created C:\Windows\PrintDialog\lsass.exe DllCommonsvc.exe File created C:\Windows\PrintDialog\6203df4a6bafc7 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings wininit.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1224 schtasks.exe 1532 schtasks.exe 2628 schtasks.exe 2860 schtasks.exe 4520 schtasks.exe 5004 schtasks.exe 4636 schtasks.exe 4616 schtasks.exe 2724 schtasks.exe 1084 schtasks.exe 1528 schtasks.exe 3260 schtasks.exe 3200 schtasks.exe 4144 schtasks.exe 3828 schtasks.exe 1120 schtasks.exe 2284 schtasks.exe 3088 schtasks.exe 540 schtasks.exe 464 schtasks.exe 3648 schtasks.exe 180 schtasks.exe 1116 schtasks.exe 4188 schtasks.exe 760 schtasks.exe 3280 schtasks.exe 3956 schtasks.exe 3392 schtasks.exe 2880 schtasks.exe 2960 schtasks.exe 3800 schtasks.exe 2712 schtasks.exe 4308 schtasks.exe 2932 schtasks.exe 3124 schtasks.exe 916 schtasks.exe 3284 schtasks.exe 1868 schtasks.exe 1628 schtasks.exe 4948 schtasks.exe 4176 schtasks.exe 3140 schtasks.exe 3804 schtasks.exe 2680 schtasks.exe 1656 schtasks.exe 872 schtasks.exe 2672 schtasks.exe 3664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 2356 DllCommonsvc.exe 1680 powershell.exe 1680 powershell.exe 3192 powershell.exe 3192 powershell.exe 2104 powershell.exe 2104 powershell.exe 2816 powershell.exe 2816 powershell.exe 3272 powershell.exe 3272 powershell.exe 4772 powershell.exe 4772 powershell.exe 3324 powershell.exe 3324 powershell.exe 5112 powershell.exe 5112 powershell.exe 2324 powershell.exe 2324 powershell.exe 2664 powershell.exe 2664 powershell.exe 2488 powershell.exe 2488 powershell.exe 4576 powershell.exe 4576 powershell.exe 2696 powershell.exe 2696 powershell.exe 1900 powershell.exe 1900 powershell.exe 2012 powershell.exe 2012 powershell.exe 2940 powershell.exe 2940 powershell.exe 912 powershell.exe 912 powershell.exe 2012 powershell.exe 2324 powershell.exe 5112 powershell.exe 2816 powershell.exe 3192 powershell.exe 2104 powershell.exe 1680 powershell.exe 912 powershell.exe 2696 powershell.exe 2940 powershell.exe 4772 powershell.exe 2488 powershell.exe 3272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2356 DllCommonsvc.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 3192 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeDebugPrivilege 3272 powershell.exe Token: SeDebugPrivilege 4772 powershell.exe Token: SeDebugPrivilege 912 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeDebugPrivilege 3784 wininit.exe Token: SeDebugPrivilege 2232 wininit.exe Token: SeDebugPrivilege 5072 wininit.exe Token: SeDebugPrivilege 4488 wininit.exe Token: SeDebugPrivilege 2344 wininit.exe Token: SeDebugPrivilege 3124 wininit.exe Token: SeDebugPrivilege 4864 wininit.exe Token: SeDebugPrivilege 1864 wininit.exe Token: SeDebugPrivilege 3800 wininit.exe Token: SeDebugPrivilege 5064 wininit.exe Token: SeDebugPrivilege 2352 wininit.exe Token: SeDebugPrivilege 2152 wininit.exe Token: SeDebugPrivilege 3388 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1864 wrote to memory of 3268 1864 JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe 83 PID 1864 wrote to memory of 3268 1864 JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe 83 PID 1864 wrote to memory of 3268 1864 JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe 83 PID 3268 wrote to memory of 4824 3268 WScript.exe 85 PID 3268 wrote to memory of 4824 3268 WScript.exe 85 PID 3268 wrote to memory of 4824 3268 WScript.exe 85 PID 4824 wrote to memory of 2356 4824 cmd.exe 87 PID 4824 wrote to memory of 2356 4824 cmd.exe 87 PID 2356 wrote to memory of 3272 2356 DllCommonsvc.exe 138 PID 2356 wrote to memory of 3272 2356 DllCommonsvc.exe 138 PID 2356 wrote to memory of 1680 2356 DllCommonsvc.exe 139 PID 2356 wrote to memory of 1680 2356 DllCommonsvc.exe 139 PID 2356 wrote to memory of 912 2356 DllCommonsvc.exe 140 PID 2356 wrote to memory of 912 2356 DllCommonsvc.exe 140 PID 2356 wrote to memory of 5112 2356 DllCommonsvc.exe 141 PID 2356 wrote to memory of 5112 2356 DllCommonsvc.exe 141 PID 2356 wrote to memory of 2104 2356 DllCommonsvc.exe 142 PID 2356 wrote to memory of 2104 2356 DllCommonsvc.exe 142 PID 2356 wrote to memory of 3192 2356 DllCommonsvc.exe 143 PID 2356 wrote to memory of 3192 2356 DllCommonsvc.exe 143 PID 2356 wrote to memory of 2696 2356 DllCommonsvc.exe 144 PID 2356 wrote to memory of 2696 2356 DllCommonsvc.exe 144 PID 2356 wrote to memory of 4772 2356 DllCommonsvc.exe 145 PID 2356 wrote to memory of 4772 2356 DllCommonsvc.exe 145 PID 2356 wrote to memory of 2664 2356 DllCommonsvc.exe 147 PID 2356 wrote to memory of 2664 2356 DllCommonsvc.exe 147 PID 2356 wrote to memory of 3324 2356 DllCommonsvc.exe 148 PID 2356 wrote to memory of 3324 2356 DllCommonsvc.exe 148 PID 2356 wrote to memory of 2816 2356 DllCommonsvc.exe 149 PID 2356 wrote to memory of 2816 2356 DllCommonsvc.exe 149 PID 2356 wrote to memory of 4576 2356 DllCommonsvc.exe 150 PID 2356 wrote to memory of 4576 2356 DllCommonsvc.exe 150 PID 2356 wrote to memory of 2012 2356 DllCommonsvc.exe 151 PID 2356 wrote to memory of 2012 2356 DllCommonsvc.exe 151 PID 2356 wrote to memory of 2488 2356 DllCommonsvc.exe 152 PID 2356 wrote to memory of 2488 2356 DllCommonsvc.exe 152 PID 2356 wrote to memory of 2324 2356 DllCommonsvc.exe 153 PID 2356 wrote to memory of 2324 2356 DllCommonsvc.exe 153 PID 2356 wrote to memory of 1900 2356 DllCommonsvc.exe 155 PID 2356 wrote to memory of 1900 2356 DllCommonsvc.exe 155 PID 2356 wrote to memory of 2940 2356 DllCommonsvc.exe 156 PID 2356 wrote to memory of 2940 2356 DllCommonsvc.exe 156 PID 2356 wrote to memory of 1832 2356 DllCommonsvc.exe 172 PID 2356 wrote to memory of 1832 2356 DllCommonsvc.exe 172 PID 1832 wrote to memory of 4368 1832 cmd.exe 174 PID 1832 wrote to memory of 4368 1832 cmd.exe 174 PID 1832 wrote to memory of 3784 1832 cmd.exe 176 PID 1832 wrote to memory of 3784 1832 cmd.exe 176 PID 3784 wrote to memory of 1468 3784 wininit.exe 182 PID 3784 wrote to memory of 1468 3784 wininit.exe 182 PID 1468 wrote to memory of 4348 1468 cmd.exe 184 PID 1468 wrote to memory of 4348 1468 cmd.exe 184 PID 1468 wrote to memory of 2232 1468 cmd.exe 188 PID 1468 wrote to memory of 2232 1468 cmd.exe 188 PID 2232 wrote to memory of 2368 2232 wininit.exe 194 PID 2232 wrote to memory of 2368 2232 wininit.exe 194 PID 2368 wrote to memory of 4156 2368 cmd.exe 196 PID 2368 wrote to memory of 4156 2368 cmd.exe 196 PID 2368 wrote to memory of 5072 2368 cmd.exe 200 PID 2368 wrote to memory of 5072 2368 cmd.exe 200 PID 5072 wrote to memory of 1644 5072 wininit.exe 203 PID 5072 wrote to memory of 1644 5072 wininit.exe 203 PID 1644 wrote to memory of 4596 1644 cmd.exe 205 PID 1644 wrote to memory of 4596 1644 cmd.exe 205 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a26xxSVfLa.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4368
-
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4348
-
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:4156
-
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vXy3H03RZr.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:4596
-
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4488 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"13⤵PID:4976
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:3436
-
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"15⤵PID:4524
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1756
-
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"17⤵PID:4084
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2888
-
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8iYvsD9nO.bat"19⤵PID:4156
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2356
-
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"21⤵PID:4304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2664
-
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"23⤵PID:2556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3088
-
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8iYvsD9nO.bat"25⤵PID:2880
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2580
-
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat"27⤵PID:1648
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:3120
-
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat"29⤵PID:3796
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:4600
-
-
C:\Program Files\Windows Security\wininit.exe"C:\Program Files\Windows Security\wininit.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\PrintDialog\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\PrintDialog\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\PrintDialog\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
210B
MD56bcfa77ecd6a7cc51911c8869ea2c7fa
SHA1358ba43bc58fe793c1be4ee16c50ed9c655d9c38
SHA256a2c855f5904b4b8e70b97b9cea463c367797645fe4c238cf4b84f2e8c61b43d0
SHA51233314c13d668aff37a5ccf9f69b86ba77096d0370e0dec65d8607c122c9eec56bbc928450da723beb100f8cebcb8de6dc06dbcd29009094a8f041e685c083301
-
Filesize
210B
MD5b589cfde8f80832cb5c01537ed1e348f
SHA18ff308e84ef7f740232bb2ddb7f7a789cb72978a
SHA256a833d155165c612850246de8604e15717d6381f739698dd205b8c911860c4538
SHA5124d2bac63cbb09bd7c8d3b028f5efd4c09f1ddab67d2039c21dbb71b668f39bd8b3957cbaece235cebab28f7f1a690f5c2b3461ef95108abc3ad40ca5af74325b
-
Filesize
210B
MD574c0d90ebe18eae265f46f55c7267304
SHA1725b0cfe6ad09001b471a406895f63dd7cb33531
SHA256267b0041c983802c6d63eb7170bae9ec957286d67f3d3076fc72e2f8d51a42bd
SHA512f0b0ab42ccf51350f91aa9343ff07c67ad59e9f5bc3d0f4fb763de68a5b57dce15b65703cc89dd365397cd898816a4bdf23299bd420516ae373704d81df29ef4
-
Filesize
210B
MD5748a9922523fd20b9dc0494f58ff1c5e
SHA1f3518d88b039c7264de28a4d48d7daed64d027c4
SHA256ba78bffc4e7ffe8dce5d0d63efc1008b0fb0bef5e73e87eae70928ecee91f604
SHA5120c83ad8362c4c5a353cae91bc81bf039397f7667ddcbd200e68aae0512549419f09565778c5fd7b42a46cff0930d35cd360aeb89ebbfb7404e07ab69c6c3a4f8
-
Filesize
210B
MD5d5cd4ca96f6d21e9201e81c6f7813a5c
SHA148f48ffb7f0bb1cfb210127a1b60aff27245a2fd
SHA2563228f79103908f4739f250c7ef415cd4e980af54b3e157bed33aca2a004ed401
SHA512acf8fc5acfaa773946a46fca9c99f805b57829e8c1310fbf7515a4f3d445ceab5a0b6e724f7477a0e5602eb051adbffc33c8ba8bbf4336870a01b8947af5995a
-
Filesize
210B
MD5c0dfcdae78aef78daf9c7cbddc946a70
SHA127af9f58fde017ee62a978b70171fa7c425bc513
SHA256ba5c3516401f0c337e1e823ba1c73780e4ce587c7e6016d2e8cae86b93ead6b7
SHA512ced12ecdff6bd0b6b3a572192921303bbeffad5726fb45b0af9fe66531e8f6671c570d0f470a573da8d6463e9290e555ac757465b4325a441d25eafc85130556
-
Filesize
210B
MD54fb703483d2d18b1a78e2a2d701d76f8
SHA16238be3c6d470affc0154ea6b17922b95a22ac31
SHA256ea4fbc7ec98c5f8ef8b61f6155e81b4b75dd21863bfd3ec9791e6cd32bef4a09
SHA512e1d1c3217c2440ee6f40b2e3cfdd7a7573f580c89aea9b120bda97ec3539f8d326431f8671b2d4352c96f5fcaecf1dc9dec121a42df7edad57b1c9668cb0d3e7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
210B
MD5a5733e49fa29bb8886e32be423a8330b
SHA16074a6020fa97227ff5225419204dd17dbbde94c
SHA256a45d6a43d7ea7cf4c04751fbf19bc0dfecbd8136bd278c9d8ea2b66c474d8123
SHA512a17cf55598966fe7d8b808cf47848a4f9966e79cee3de07d816607592f40a6b5cd57332ee8991225fe97bbdbf0443cc77959f091373d01ebca5e115c656720df
-
Filesize
210B
MD5c99fcb72649e7564e674ef90662fe08b
SHA1fe06f231cd782a3c8cac76ed9fb747a88d67bfbc
SHA256a9646ba5b7f7ae5c95c44c271ab4c3ac9161ca900cf3bac2afc7addcb8181afe
SHA512da62720d06ea8957b49c01a23c0488130262bca64c685020ffdcacfd6d65393b859f3c3ec2e6cc82cf56bc8962d3d0b6356145b13398250f3f84d62e943c108e
-
Filesize
210B
MD5c3a15c92ec1c9c837fb637c384206b88
SHA181f622a644deba93ec5f9c77582df2fb969d3076
SHA256aa50a6540091d8e24ddaae7d0cb8e073ab0a99398329c9b36f8d41e142220932
SHA512f456927d25020aa9fe71189b41513821ed9b2e0b52c1644075d8e1bd7d48be89c6505a5eee83abf086750409d186b9915d4acb65043d2c9023c805dfb14d77fd
-
Filesize
210B
MD5d7407c6765c9c35f45318a56aa46f079
SHA16ff23b8864fc4f31baf0f88428e7d7fec9eb406f
SHA25605e16736d478e8679bf5feba14f3373eb3b440e33ce22d15bf8f0bb024f84cf3
SHA512ddaff38943af2f4d7d1528538835ff0ed058add0fa5d26c7c6b8d7976a5eacb633429cc1b6b92f46dc423134579c647162d4e017a61d9e37a7d45ec592d052d1
-
Filesize
210B
MD503fa301323b83a8d5694b9bd6bcedf78
SHA12e8d187fa56e1abbd65b3e8a1d2ac393b61a170d
SHA2564ffd7d6368d957ac98e5123c7ba86fbf5363775ad1cf6b3ed4ba04aeb9c50400
SHA5123e764f2eb31ae29b5b65ed2f03c9e3bfd56303f7731d02cb62758353ebc26f11a08b008bdbe2b9117b0b7856bc5cef521d36d17cf150be4ff82ff01d2a45260d
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478