Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 19:43
Behavioral task
behavioral1
Sample
JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe
-
Size
1.3MB
-
MD5
b138fab068fff7508e24a386f5185a0b
-
SHA1
318f36e371a2c39b3e45c76d93398f44d1d3bdfa
-
SHA256
37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678
-
SHA512
2b9db890c67ba3a5e8580719ef51cb96aeaa3dd56cdd4105a1f3f81c5c197e645698140522d633b804c568ffc978177d5e7461cc5e5f37f957e2474ee406d84a
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3452 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 728 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3548 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3640 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 1056 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4728 1056 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0007000000023ccf-10.dat dcrat behavioral2/memory/3364-13-0x0000000000250000-0x0000000000360000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2544 powershell.exe 2136 powershell.exe 3916 powershell.exe 836 powershell.exe 2072 powershell.exe 1184 powershell.exe 4488 powershell.exe 4144 powershell.exe 428 powershell.exe 3496 powershell.exe 4784 powershell.exe 4264 powershell.exe 4588 powershell.exe 1264 powershell.exe 1696 powershell.exe 2400 powershell.exe 2880 powershell.exe 4360 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SearchApp.exe -
Executes dropped EXE 14 IoCs
pid Process 3364 DllCommonsvc.exe 2308 SearchApp.exe 5804 SearchApp.exe 1440 SearchApp.exe 2800 SearchApp.exe 5128 SearchApp.exe 2920 SearchApp.exe 1980 SearchApp.exe 5188 SearchApp.exe 5376 SearchApp.exe 2780 SearchApp.exe 5648 SearchApp.exe 6128 SearchApp.exe 5240 SearchApp.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 14 raw.githubusercontent.com 15 raw.githubusercontent.com 38 raw.githubusercontent.com 42 raw.githubusercontent.com 44 raw.githubusercontent.com 50 raw.githubusercontent.com 52 raw.githubusercontent.com 30 raw.githubusercontent.com 39 raw.githubusercontent.com 43 raw.githubusercontent.com 51 raw.githubusercontent.com 53 raw.githubusercontent.com 54 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\unsecapp.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\29c1c3cc0f7685 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\ea9f0e6c9e2dcd DllCommonsvc.exe File created C:\Program Files\ModifiableWindowsApps\unsecapp.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe DllCommonsvc.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\a76d7bf15d8370 DllCommonsvc.exe File created C:\Windows\SoftwareDistribution\Download\upfc.exe DllCommonsvc.exe File created C:\Windows\SoftwareDistribution\Download\ea1d8f6d871115 DllCommonsvc.exe File created C:\Windows\PrintDialog\explorer.exe DllCommonsvc.exe File created C:\Windows\PrintDialog\7a0fd90576e088 DllCommonsvc.exe File created C:\Windows\Panther\actionqueue\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\servicing\SQM\System.exe DllCommonsvc.exe File created C:\Windows\Panther\actionqueue\System.exe DllCommonsvc.exe File created C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\DllCommonsvc.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SearchApp.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2332 schtasks.exe 4068 schtasks.exe 1224 schtasks.exe 4496 schtasks.exe 1632 schtasks.exe 4568 schtasks.exe 4440 schtasks.exe 1980 schtasks.exe 2560 schtasks.exe 3548 schtasks.exe 4728 schtasks.exe 764 schtasks.exe 896 schtasks.exe 544 schtasks.exe 984 schtasks.exe 1608 schtasks.exe 2460 schtasks.exe 812 schtasks.exe 3468 schtasks.exe 5072 schtasks.exe 2064 schtasks.exe 4372 schtasks.exe 4328 schtasks.exe 5052 schtasks.exe 3940 schtasks.exe 2100 schtasks.exe 5012 schtasks.exe 4504 schtasks.exe 872 schtasks.exe 3944 schtasks.exe 3000 schtasks.exe 2480 schtasks.exe 2260 schtasks.exe 3452 schtasks.exe 4420 schtasks.exe 1692 schtasks.exe 2196 schtasks.exe 3640 schtasks.exe 1644 schtasks.exe 548 schtasks.exe 3960 schtasks.exe 2596 schtasks.exe 2912 schtasks.exe 1756 schtasks.exe 1120 schtasks.exe 1116 schtasks.exe 2140 schtasks.exe 728 schtasks.exe 5024 schtasks.exe 4508 schtasks.exe 3896 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 3364 DllCommonsvc.exe 2544 powershell.exe 2544 powershell.exe 4144 powershell.exe 4144 powershell.exe 1264 powershell.exe 1264 powershell.exe 836 powershell.exe 836 powershell.exe 4488 powershell.exe 2072 powershell.exe 4488 powershell.exe 2072 powershell.exe 2544 powershell.exe 4360 powershell.exe 4360 powershell.exe 1696 powershell.exe 1696 powershell.exe 428 powershell.exe 428 powershell.exe 1184 powershell.exe 4264 powershell.exe 4264 powershell.exe 1184 powershell.exe 2136 powershell.exe 2136 powershell.exe 4588 powershell.exe 4588 powershell.exe 4784 powershell.exe 4784 powershell.exe 2880 powershell.exe 2880 powershell.exe 3916 powershell.exe 3916 powershell.exe 2400 powershell.exe 2400 powershell.exe 3496 powershell.exe 3496 powershell.exe 2308 SearchApp.exe 2308 SearchApp.exe 4144 powershell.exe 4144 powershell.exe 4488 powershell.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 3364 DllCommonsvc.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 4488 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 4360 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 428 powershell.exe Token: SeDebugPrivilege 1184 powershell.exe Token: SeDebugPrivilege 4264 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 3916 powershell.exe Token: SeDebugPrivilege 2308 SearchApp.exe Token: SeDebugPrivilege 3496 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 5804 SearchApp.exe Token: SeDebugPrivilege 1440 SearchApp.exe Token: SeDebugPrivilege 2800 SearchApp.exe Token: SeDebugPrivilege 5128 SearchApp.exe Token: SeDebugPrivilege 2920 SearchApp.exe Token: SeDebugPrivilege 1980 SearchApp.exe Token: SeDebugPrivilege 5188 SearchApp.exe Token: SeDebugPrivilege 5376 SearchApp.exe Token: SeDebugPrivilege 2780 SearchApp.exe Token: SeDebugPrivilege 5648 SearchApp.exe Token: SeDebugPrivilege 6128 SearchApp.exe Token: SeDebugPrivilege 5240 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1868 wrote to memory of 3028 1868 JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe 84 PID 1868 wrote to memory of 3028 1868 JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe 84 PID 1868 wrote to memory of 3028 1868 JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe 84 PID 3028 wrote to memory of 4652 3028 WScript.exe 85 PID 3028 wrote to memory of 4652 3028 WScript.exe 85 PID 3028 wrote to memory of 4652 3028 WScript.exe 85 PID 4652 wrote to memory of 3364 4652 cmd.exe 87 PID 4652 wrote to memory of 3364 4652 cmd.exe 87 PID 3364 wrote to memory of 2400 3364 DllCommonsvc.exe 140 PID 3364 wrote to memory of 2400 3364 DllCommonsvc.exe 140 PID 3364 wrote to memory of 428 3364 DllCommonsvc.exe 141 PID 3364 wrote to memory of 428 3364 DllCommonsvc.exe 141 PID 3364 wrote to memory of 3916 3364 DllCommonsvc.exe 142 PID 3364 wrote to memory of 3916 3364 DllCommonsvc.exe 142 PID 3364 wrote to memory of 1184 3364 DllCommonsvc.exe 143 PID 3364 wrote to memory of 1184 3364 DllCommonsvc.exe 143 PID 3364 wrote to memory of 4784 3364 DllCommonsvc.exe 144 PID 3364 wrote to memory of 4784 3364 DllCommonsvc.exe 144 PID 3364 wrote to memory of 836 3364 DllCommonsvc.exe 145 PID 3364 wrote to memory of 836 3364 DllCommonsvc.exe 145 PID 3364 wrote to memory of 2544 3364 DllCommonsvc.exe 146 PID 3364 wrote to memory of 2544 3364 DllCommonsvc.exe 146 PID 3364 wrote to memory of 3496 3364 DllCommonsvc.exe 147 PID 3364 wrote to memory of 3496 3364 DllCommonsvc.exe 147 PID 3364 wrote to memory of 1696 3364 DllCommonsvc.exe 148 PID 3364 wrote to memory of 1696 3364 DllCommonsvc.exe 148 PID 3364 wrote to memory of 1264 3364 DllCommonsvc.exe 149 PID 3364 wrote to memory of 1264 3364 DllCommonsvc.exe 149 PID 3364 wrote to memory of 4144 3364 DllCommonsvc.exe 150 PID 3364 wrote to memory of 4144 3364 DllCommonsvc.exe 150 PID 3364 wrote to memory of 4588 3364 DllCommonsvc.exe 151 PID 3364 wrote to memory of 4588 3364 DllCommonsvc.exe 151 PID 3364 wrote to memory of 4488 3364 DllCommonsvc.exe 152 PID 3364 wrote to memory of 4488 3364 DllCommonsvc.exe 152 PID 3364 wrote to memory of 2136 3364 DllCommonsvc.exe 153 PID 3364 wrote to memory of 2136 3364 DllCommonsvc.exe 153 PID 3364 wrote to memory of 4264 3364 DllCommonsvc.exe 154 PID 3364 wrote to memory of 4264 3364 DllCommonsvc.exe 154 PID 3364 wrote to memory of 4360 3364 DllCommonsvc.exe 155 PID 3364 wrote to memory of 4360 3364 DllCommonsvc.exe 155 PID 3364 wrote to memory of 2072 3364 DllCommonsvc.exe 156 PID 3364 wrote to memory of 2072 3364 DllCommonsvc.exe 156 PID 3364 wrote to memory of 2880 3364 DllCommonsvc.exe 157 PID 3364 wrote to memory of 2880 3364 DllCommonsvc.exe 157 PID 3364 wrote to memory of 2308 3364 DllCommonsvc.exe 175 PID 3364 wrote to memory of 2308 3364 DllCommonsvc.exe 175 PID 2308 wrote to memory of 5508 2308 SearchApp.exe 177 PID 2308 wrote to memory of 5508 2308 SearchApp.exe 177 PID 5508 wrote to memory of 5564 5508 cmd.exe 179 PID 5508 wrote to memory of 5564 5508 cmd.exe 179 PID 5508 wrote to memory of 5804 5508 cmd.exe 184 PID 5508 wrote to memory of 5804 5508 cmd.exe 184 PID 5804 wrote to memory of 4740 5804 SearchApp.exe 188 PID 5804 wrote to memory of 4740 5804 SearchApp.exe 188 PID 4740 wrote to memory of 4604 4740 cmd.exe 190 PID 4740 wrote to memory of 4604 4740 cmd.exe 190 PID 4740 wrote to memory of 1440 4740 cmd.exe 192 PID 4740 wrote to memory of 1440 4740 cmd.exe 192 PID 1440 wrote to memory of 432 1440 SearchApp.exe 193 PID 1440 wrote to memory of 432 1440 SearchApp.exe 193 PID 432 wrote to memory of 3956 432 cmd.exe 195 PID 432 wrote to memory of 3956 432 cmd.exe 195 PID 432 wrote to memory of 2800 432 cmd.exe 196 PID 432 wrote to memory of 2800 432 cmd.exe 196 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\Download\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\unsecapp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\providercommon\SearchApp.exe"C:\providercommon\SearchApp.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:5508 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:5564
-
-
C:\providercommon\SearchApp.exe"C:\providercommon\SearchApp.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4604
-
-
C:\providercommon\SearchApp.exe"C:\providercommon\SearchApp.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3956
-
-
C:\providercommon\SearchApp.exe"C:\providercommon\SearchApp.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"12⤵PID:3276
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2184
-
-
C:\providercommon\SearchApp.exe"C:\providercommon\SearchApp.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"14⤵PID:4376
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2480
-
-
C:\providercommon\SearchApp.exe"C:\providercommon\SearchApp.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"16⤵PID:1784
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4488
-
-
C:\providercommon\SearchApp.exe"C:\providercommon\SearchApp.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"18⤵PID:2088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3444
-
-
C:\providercommon\SearchApp.exe"C:\providercommon\SearchApp.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"20⤵PID:3884
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2188
-
-
C:\providercommon\SearchApp.exe"C:\providercommon\SearchApp.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"22⤵PID:3004
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:5344
-
-
C:\providercommon\SearchApp.exe"C:\providercommon\SearchApp.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"24⤵PID:2856
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2404
-
-
C:\providercommon\SearchApp.exe"C:\providercommon\SearchApp.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"26⤵PID:5640
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:5600
-
-
C:\providercommon\SearchApp.exe"C:\providercommon\SearchApp.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"28⤵PID:6084
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:3948
-
-
C:\providercommon\SearchApp.exe"C:\providercommon\SearchApp.exe"29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\providercommon\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\Download\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\Download\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\PrintDialog\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PrintDialog\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\providercommon\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Documents\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Panther\actionqueue\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\actionqueue\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
476B
MD50a007f69fb6650519ba6d280934a4f36
SHA10b8240da0731b2b682441d17d2a389fc864d3777
SHA256a87085c95cdaa83c8f8faf553d144fe904c8aebe6b007682968763702125bd17
SHA512fdb9d29f2d651294a97df924fe3caf1d64892ed31c1440e2c9cfb305a7cff3726d41a97d427a2003f137d35c5c71708deb7d4835c510262c5a2f711d1bc974e6
-
Filesize
196B
MD5dd1ce0149eeca25e93102ff52f1b8949
SHA1b79e85726de39ace0ede9f298176dd92e2f7af1d
SHA256c41da9fa9438a9b9bbcbf19041f0c4a8920556f1dee3a0eaf1f9e7f5c6254451
SHA512dd5a0ebfe1dc84805b47a234b6de0c3c0bbf9394f4a7c7ea5ac52c541d86a2141076bfadcbe2358a063b76a11b54e8860826d19b088ff46c5d2b7eb4b6734802
-
Filesize
196B
MD51e7174736d0208a88afe447ca0e69a6f
SHA13a913d32c5216395ca896982ba0e31884bfdd9ae
SHA256ca44307e10ef97edea9c8da7680c97703c59fcd19c50226af6fce7f0600ff8dc
SHA512dd3be3d0d72c860b1d8d6f3829ff1275b435c10db815519efe879f1fa5a4232592788ebfaed5a8a0b09741bdb78ebb04c330e909c26e83c36b3295a32ab4c9d5
-
Filesize
196B
MD505efa65e06f34e01f0b94eb9f9143465
SHA1535d4e817fbc3d20001b0e60141e9071ae10f79d
SHA256ff5f2b411263710408772f0b20b14479c54b0002e8038401c8553cded212ae2c
SHA512650d09710716e61bb82d30e1108bc310f8c7d66c2ed8dbd75fe688551a014bc5c4dd6282d19b60c868e5139d9ec6db31cded8b89d2d0f9f223248549d7bd00e1
-
Filesize
196B
MD5a8ee5df2eb8a853f2f2a49d5bc51a897
SHA172d4ec822d06a28d6503fd4ebfe378de948a26d2
SHA25674202170f2d01aebf6e2c3ec087a9315e2331942f6ba8c28a37a2a1ba77c2fd7
SHA51225fb55ba9f5ed5d9a66d5810914c857a8bb1f8d58f9537f98235bd073209b824d55d47ec58f25e43f73853a40b926c06966efe203fb6f23e6696e8b0c0d70a8a
-
Filesize
196B
MD5660c87271f9558435e831a06eb1bbc83
SHA11e4f1f0191bb49335dcc462a189e79b7bbca3384
SHA256ebd38c9d64b6815015c9ff7a7ccd677f638891c3911fe6fdb28a75b5002b1b4e
SHA512aaf5bad2975388ced8e4bf9c0c668d1db7cec64ed81fab49b0df82c10acb29eb7b329a4eb6c4414084efc62ab9c27c46b24714ce3e1e0c8682c9b82db609fbae
-
Filesize
196B
MD56cbb178e711b3dcd2d6f31d714971ecd
SHA1f9856e8edc33decec2f269c901b9dc56e33b7eaf
SHA25671fe68efb382864d8065401c296e4b40b80758510c7a8544d39003a07262c945
SHA512c1662ac3074e5c6d081cc786e02970beb9b6b99d4e191ad5ce95c241665c9f4e5268a92eda92a7a204f071b1b12d86f981d669436f4abf08c7405530c3075dc9
-
Filesize
196B
MD53b60b199b5ab64acc46a8de4383377d2
SHA11ffd3a4358a32223836aac993d05a66c7b1465df
SHA25629777a54f38d14cd48fd28f1233e42877e5ac3b19fa023ead239b16d73b9ae62
SHA512bb9226484336ca0d56ae250ad5ec4f174ed6c561930a7147b33f39719cfef74d440a44e0dcbad642da2357521f1136ff33ae2f171b05aafd3547f40cbf86a00c
-
Filesize
196B
MD563b8d5b01b7689d09b9daf7a028ed77e
SHA1c61b1bc32dcf50be277164dbb6389e8647a6aab3
SHA256e004dbce5d235f098e02986d53d7a9cd46f61790216620f17764e546a1880499
SHA512efe366e36e3c4f01b0b090b4fbcb6ca66c917ba433cd67c024036569126782a15f871e9990ca77d8f583e022796aa0cb1b96fd03498b9a9e3aa225fa13407467
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
196B
MD5a981fff632c148905fffd09917ea1f59
SHA16998f3e383049a18213074ba34ca7bf0d3f24198
SHA256aa9f646ea228f2d66051d50abedab7afeb0d7fb7c24d2c86edd1314e01df3981
SHA5123df603aa2ac1ff429c2cadadf4c56b42afaecb27edd59e4f36d7037810ef5787177f8ed4bdfc76518ca76057e007b3fb9f602d156b1bd5dda127dbc6a71ed6e1
-
Filesize
196B
MD50e9fb5418f0ff34f90032207d1fb91e7
SHA1c86bf6a585c9c68b1be663579f037b1e5f6df945
SHA2568974050e447621d8db47f67d5d67bf15e64cd1abc10ca505ffd19bc70c328ec5
SHA512d0e9429d4e08f81c61ddab083e3295481559d573e069859238bc6d2427f0160101f693e46644fa2496dc304ff766ce9f6873466bb10270e22b10fcd251547c10
-
Filesize
196B
MD561ef98667538c1d5be8ec19ed82806da
SHA1f291080f958724b1721d234ac1e4f5c085594266
SHA2563afd96e1e67958b71daf5345ebc8240cf0e2fca62ef0f3df8e34e89f8756a86e
SHA512a35db7ef9471269c5239ac6a2536c8f14512068d3e1c98cfb5b4bcffab033cda3ab1775e29fdfd6a93c257b101b89e44127dc7938dce16bc72cfa0d59995d0ec
-
Filesize
196B
MD5f6fd87275e0d3f0120e5bb4d0a748dd4
SHA1b283b8203954f2636ab8953467f8b039599b04a0
SHA256125606e5aad23890e3647bc63411ec33e4489cf880b113cafef1a8e270ceee5f
SHA51227129882f0e4c6cdcf14a6763428e74ae66db5d228fb0bbc620e2fc2e1cd1447ea19539f4e48bec8770d2db92498f94d8281ada1c970afc955d5023f153fef93
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478