Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 19:52
Behavioral task
behavioral1
Sample
JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe
-
Size
1.3MB
-
MD5
1f532439752677e32e6d8943216e852a
-
SHA1
2c5de7dd1cf5755b5237302feb58a6a303038e30
-
SHA256
34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0
-
SHA512
20359be036ed722fe977c6206fdba0318279afe7d70b3305eb2c963d75127d7887d38b1a030c8cdaf92a6d60c92ee08ab5973143afb8991f76b245afb0ac5779
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3556 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 312 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3796 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3920 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3744 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3836 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4332 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3380 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 388 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3820 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3088 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3480 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3788 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4816 3808 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 3808 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x0007000000023c8f-10.dat dcrat behavioral2/memory/4368-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1012 powershell.exe 2344 powershell.exe 4360 powershell.exe 2332 powershell.exe 4776 powershell.exe 1804 powershell.exe 4304 powershell.exe 4908 powershell.exe 4992 powershell.exe 1472 powershell.exe 3192 powershell.exe 5080 powershell.exe 1836 powershell.exe 3448 powershell.exe 2740 powershell.exe 368 powershell.exe 864 powershell.exe 3972 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 13 IoCs
pid Process 4368 DllCommonsvc.exe 2468 cmd.exe 3164 cmd.exe 896 cmd.exe 4812 cmd.exe 4304 cmd.exe 3400 cmd.exe 4680 cmd.exe 3688 cmd.exe 4176 cmd.exe 3856 cmd.exe 3168 cmd.exe 4908 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 46 raw.githubusercontent.com 54 raw.githubusercontent.com 55 raw.githubusercontent.com 26 raw.githubusercontent.com 32 raw.githubusercontent.com 42 raw.githubusercontent.com 45 raw.githubusercontent.com 53 raw.githubusercontent.com 17 raw.githubusercontent.com 18 raw.githubusercontent.com 41 raw.githubusercontent.com 52 raw.githubusercontent.com -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files\WindowsPowerShell\Configuration\cmd.exe DllCommonsvc.exe File created C:\Program Files\WindowsPowerShell\Configuration\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\38384e6a620884 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\en-US\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\38384e6a620884 DllCommonsvc.exe File created C:\Program Files\VideoLAN\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\en-US\services.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\SearchApp.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\lsass.exe DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Sun\Java\Deployment\56085415360792 DllCommonsvc.exe File created C:\Windows\Speech_OneCore\Engines\TTS\es-ES\NUSData\fontdrvhost.exe DllCommonsvc.exe File created C:\Windows\Speech_OneCore\Engines\TTS\es-ES\NUSData\5b884080fd4f94 DllCommonsvc.exe File created C:\Windows\it-IT\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Windows\it-IT\e6c9b481da804f DllCommonsvc.exe File created C:\Windows\Sun\Java\Deployment\wininit.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1980 schtasks.exe 4384 schtasks.exe 4816 schtasks.exe 3796 schtasks.exe 2892 schtasks.exe 3480 schtasks.exe 3556 schtasks.exe 2908 schtasks.exe 1828 schtasks.exe 4284 schtasks.exe 1532 schtasks.exe 1984 schtasks.exe 4404 schtasks.exe 3744 schtasks.exe 1248 schtasks.exe 1796 schtasks.exe 1976 schtasks.exe 388 schtasks.exe 3088 schtasks.exe 2744 schtasks.exe 3056 schtasks.exe 3380 schtasks.exe 1308 schtasks.exe 2672 schtasks.exe 1600 schtasks.exe 4720 schtasks.exe 2404 schtasks.exe 2592 schtasks.exe 4324 schtasks.exe 4332 schtasks.exe 868 schtasks.exe 3788 schtasks.exe 1912 schtasks.exe 312 schtasks.exe 2944 schtasks.exe 3432 schtasks.exe 2996 schtasks.exe 4864 schtasks.exe 4344 schtasks.exe 1352 schtasks.exe 3252 schtasks.exe 3532 schtasks.exe 1760 schtasks.exe 3836 schtasks.exe 2692 schtasks.exe 3820 schtasks.exe 4484 schtasks.exe 5020 schtasks.exe 3920 schtasks.exe 3636 schtasks.exe 2844 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4368 DllCommonsvc.exe 4360 powershell.exe 4360 powershell.exe 3972 powershell.exe 3972 powershell.exe 3192 powershell.exe 3192 powershell.exe 1012 powershell.exe 1012 powershell.exe 368 powershell.exe 368 powershell.exe 3448 powershell.exe 3448 powershell.exe 2740 powershell.exe 2740 powershell.exe 4908 powershell.exe 4908 powershell.exe 4304 powershell.exe 4304 powershell.exe 5080 powershell.exe 5080 powershell.exe 1804 powershell.exe 1804 powershell.exe 2344 powershell.exe 2344 powershell.exe 1472 powershell.exe 1472 powershell.exe 4776 powershell.exe 4776 powershell.exe 864 powershell.exe 864 powershell.exe 2332 powershell.exe 2332 powershell.exe 4992 powershell.exe 4992 powershell.exe 1836 powershell.exe 1836 powershell.exe 1836 powershell.exe 2468 cmd.exe 2468 cmd.exe 2344 powershell.exe 1012 powershell.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 4368 DllCommonsvc.exe Token: SeDebugPrivilege 4360 powershell.exe Token: SeDebugPrivilege 3972 powershell.exe Token: SeDebugPrivilege 3192 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 368 powershell.exe Token: SeDebugPrivilege 3448 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 4908 powershell.exe Token: SeDebugPrivilege 4304 powershell.exe Token: SeDebugPrivilege 1836 powershell.exe Token: SeDebugPrivilege 5080 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 4776 powershell.exe Token: SeDebugPrivilege 864 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 4992 powershell.exe Token: SeDebugPrivilege 2468 cmd.exe Token: SeDebugPrivilege 3164 cmd.exe Token: SeDebugPrivilege 896 cmd.exe Token: SeDebugPrivilege 4812 cmd.exe Token: SeDebugPrivilege 4304 cmd.exe Token: SeDebugPrivilege 3400 cmd.exe Token: SeDebugPrivilege 4680 cmd.exe Token: SeDebugPrivilege 3688 cmd.exe Token: SeDebugPrivilege 4176 cmd.exe Token: SeDebugPrivilege 3856 cmd.exe Token: SeDebugPrivilege 3168 cmd.exe Token: SeDebugPrivilege 4908 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3228 wrote to memory of 4408 3228 JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe 82 PID 3228 wrote to memory of 4408 3228 JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe 82 PID 3228 wrote to memory of 4408 3228 JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe 82 PID 4408 wrote to memory of 4240 4408 WScript.exe 83 PID 4408 wrote to memory of 4240 4408 WScript.exe 83 PID 4408 wrote to memory of 4240 4408 WScript.exe 83 PID 4240 wrote to memory of 4368 4240 cmd.exe 85 PID 4240 wrote to memory of 4368 4240 cmd.exe 85 PID 4368 wrote to memory of 1012 4368 DllCommonsvc.exe 138 PID 4368 wrote to memory of 1012 4368 DllCommonsvc.exe 138 PID 4368 wrote to memory of 4992 4368 DllCommonsvc.exe 139 PID 4368 wrote to memory of 4992 4368 DllCommonsvc.exe 139 PID 4368 wrote to memory of 4360 4368 DllCommonsvc.exe 140 PID 4368 wrote to memory of 4360 4368 DllCommonsvc.exe 140 PID 4368 wrote to memory of 2344 4368 DllCommonsvc.exe 141 PID 4368 wrote to memory of 2344 4368 DllCommonsvc.exe 141 PID 4368 wrote to memory of 2332 4368 DllCommonsvc.exe 142 PID 4368 wrote to memory of 2332 4368 DllCommonsvc.exe 142 PID 4368 wrote to memory of 1472 4368 DllCommonsvc.exe 143 PID 4368 wrote to memory of 1472 4368 DllCommonsvc.exe 143 PID 4368 wrote to memory of 3192 4368 DllCommonsvc.exe 144 PID 4368 wrote to memory of 3192 4368 DllCommonsvc.exe 144 PID 4368 wrote to memory of 3972 4368 DllCommonsvc.exe 145 PID 4368 wrote to memory of 3972 4368 DllCommonsvc.exe 145 PID 4368 wrote to memory of 864 4368 DllCommonsvc.exe 146 PID 4368 wrote to memory of 864 4368 DllCommonsvc.exe 146 PID 4368 wrote to memory of 368 4368 DllCommonsvc.exe 147 PID 4368 wrote to memory of 368 4368 DllCommonsvc.exe 147 PID 4368 wrote to memory of 4908 4368 DllCommonsvc.exe 148 PID 4368 wrote to memory of 4908 4368 DllCommonsvc.exe 148 PID 4368 wrote to memory of 4304 4368 DllCommonsvc.exe 149 PID 4368 wrote to memory of 4304 4368 DllCommonsvc.exe 149 PID 4368 wrote to memory of 2740 4368 DllCommonsvc.exe 150 PID 4368 wrote to memory of 2740 4368 DllCommonsvc.exe 150 PID 4368 wrote to memory of 3448 4368 DllCommonsvc.exe 151 PID 4368 wrote to memory of 3448 4368 DllCommonsvc.exe 151 PID 4368 wrote to memory of 1836 4368 DllCommonsvc.exe 153 PID 4368 wrote to memory of 1836 4368 DllCommonsvc.exe 153 PID 4368 wrote to memory of 1804 4368 DllCommonsvc.exe 154 PID 4368 wrote to memory of 1804 4368 DllCommonsvc.exe 154 PID 4368 wrote to memory of 5080 4368 DllCommonsvc.exe 155 PID 4368 wrote to memory of 5080 4368 DllCommonsvc.exe 155 PID 4368 wrote to memory of 4776 4368 DllCommonsvc.exe 156 PID 4368 wrote to memory of 4776 4368 DllCommonsvc.exe 156 PID 4368 wrote to memory of 2468 4368 DllCommonsvc.exe 173 PID 4368 wrote to memory of 2468 4368 DllCommonsvc.exe 173 PID 2468 wrote to memory of 4000 2468 cmd.exe 179 PID 2468 wrote to memory of 4000 2468 cmd.exe 179 PID 4000 wrote to memory of 2828 4000 cmd.exe 181 PID 4000 wrote to memory of 2828 4000 cmd.exe 181 PID 4000 wrote to memory of 3164 4000 cmd.exe 184 PID 4000 wrote to memory of 3164 4000 cmd.exe 184 PID 3164 wrote to memory of 4296 3164 cmd.exe 185 PID 3164 wrote to memory of 4296 3164 cmd.exe 185 PID 4296 wrote to memory of 528 4296 cmd.exe 187 PID 4296 wrote to memory of 528 4296 cmd.exe 187 PID 4296 wrote to memory of 896 4296 cmd.exe 188 PID 4296 wrote to memory of 896 4296 cmd.exe 188 PID 896 wrote to memory of 3468 896 cmd.exe 190 PID 896 wrote to memory of 3468 896 cmd.exe 190 PID 3468 wrote to memory of 4360 3468 cmd.exe 192 PID 3468 wrote to memory of 4360 3468 cmd.exe 192 PID 3468 wrote to memory of 4812 3468 cmd.exe 194 PID 3468 wrote to memory of 4812 3468 cmd.exe 194 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Sun\Java\Deployment\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\TTS\es-ES\NUSData\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
C:\providercommon\cmd.exe"C:\providercommon\cmd.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2828
-
-
C:\providercommon\cmd.exe"C:\providercommon\cmd.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:528
-
-
C:\providercommon\cmd.exe"C:\providercommon\cmd.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4360
-
-
C:\providercommon\cmd.exe"C:\providercommon\cmd.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"12⤵PID:1852
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2076
-
-
C:\providercommon\cmd.exe"C:\providercommon\cmd.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"14⤵PID:4908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1804
-
-
C:\providercommon\cmd.exe"C:\providercommon\cmd.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3400 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat"16⤵PID:2560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:3744
-
-
C:\providercommon\cmd.exe"C:\providercommon\cmd.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"18⤵PID:1208
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2828
-
-
C:\providercommon\cmd.exe"C:\providercommon\cmd.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat"20⤵PID:3600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1120
-
-
C:\providercommon\cmd.exe"C:\providercommon\cmd.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"22⤵PID:4284
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1552
-
-
C:\providercommon\cmd.exe"C:\providercommon\cmd.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3856 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"24⤵PID:548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2612
-
-
C:\providercommon\cmd.exe"C:\providercommon\cmd.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"26⤵PID:3644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4080
-
-
C:\providercommon\cmd.exe"C:\providercommon\cmd.exe"27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\providercommon\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Configuration\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Music\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Sun\Java\Deployment\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\Java\Deployment\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\es-ES\NUSData\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\es-ES\NUSData\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\es-ES\NUSData\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
190B
MD5f33da1f2882d2bdba1eedd13722eb19d
SHA166298595efad99d5406aec110c53f60a9fe0a15f
SHA256a047571be8a49e78bad810619ac7cbe516dee055cd64e8d4a8c347a9d2036e67
SHA512752342f6323fa542c320196ababdac19622b76c78cd90301a13dc137ed2a927e87b46a1cdb73533801f5f6184b3ca17523e732c55d3ffdc9a01cdeacd69b78fd
-
Filesize
190B
MD5d3f4e0815d2b55ba6cfd45880010fc53
SHA19d21ee7fee711285d24ce20f396bfe0c7106d274
SHA2560bdeca4293ef509bc0cae40503701177048b41ef20f5405989313f8218b21bf7
SHA51237cfe4b989f5d9725952952c67b0fd51e4a715d2c05456986b2bb129a5b67ab04424996d06c20e8fde0e9f49b498d4131bc5a72a9b5958bbc573cdab1cf27d8a
-
Filesize
190B
MD5aff71edd169d43fa9f4a56deddf74774
SHA168d24306703c3ae2591d4dddb7e5ce4423dc64ec
SHA256a7a255f5147770b87aa68d8fe742ff013fde25b335026e587755115d5456ec73
SHA51203f5c0fa469dcf512d3758e06661dc7f634b71bf61de675f6fb307d69c6c87a5f53cc2850ed62fc4f6fdc1d8497cdb7274a235e9aefb30f43302f4a9808cd3cd
-
Filesize
190B
MD5bbbeb0da194903270323f7f1d916b98c
SHA169ed1c8fbcaee5730be1e8805411d594a8c4e67e
SHA256d7a07cc9a6c4990d203510760bac9939a42ff1f5cccb0ea5b7bdc21867b87e4d
SHA5122208e5f2d60559a7054edd81d1cddcff856f16e036b33500e085280099e400360fb5d3edbb4f67f6de710e03e01e340b8fa10c0a7a5348c22db6c77486ac2d95
-
Filesize
190B
MD5b725fd0b15d6c2991abb1691c01ddcd3
SHA11f62a0b984a21d69f8cbc0f19a1b895e95bae9b7
SHA256866b312fa95fad619cf616677240ec341ab567f20cdade85bce326fd2af24c94
SHA5123cec13b0d31d52ad15a53e8cc5b7c76ce759b29ae1b05a83a0dcd4cd2b2d5c3205a41a35b4c6861f0cc0c1c3981318ebb82c2a2a1b2d724a20ad39819b398f4f
-
Filesize
190B
MD500621f857e2092d8983f59b1ace2fc07
SHA1f5859ad4820ced513b6aff744b202408fe8482cd
SHA25624397dc74a3979854870bcefefa704f3d3748dddac0448f3179f63c1289c5127
SHA512af7471934c01b46baeac5b32f070e90babbb9788b0a04cd7c7e87ad8ec721f6978017d4a4f3661d3390db309b4794e5b206405cba4c01836b7e487351e62c0c7
-
Filesize
190B
MD5209fd8fbbce92029a142e161966ac61a
SHA12425d4a4000054041f931f2480a7183a2df05219
SHA256439001f7ab2e1fcd26736e7ae1f29ce726792bc756425e931df16f2ac948f47e
SHA51262aa6360918ee63cbdcd0278de4808427b98e2db6735c3fa45b338f73c8129229def1dc611e430d3d9efe9660cc82cb2a18fafff3d631b979610801733d2ed43
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
190B
MD5de5d19d0f8de53232db500026eceaca7
SHA1bb976dd6b25e5bb9da484915dff775bed83d28b5
SHA2563a91e2a7b1d109d552864d288f36367c125659392c48ad4ff7580627ce5ca76f
SHA51244d7c230d8f5f080cef3ef128d7864be8febe6f3f0098fbf5c752521978c615d49a12ce9f0ba38024cb303c6c49fdef7c80a1c79d209c3bd195c2077a86e67cd
-
Filesize
190B
MD5acff1caecb168144be493eafc8d1efff
SHA14c23b47c45f1efa1d58d3baa0d339798aa603df3
SHA256b8912271ed59601afd893894a1c35a4e836b807f9fd93fd7240e9f8546b34593
SHA51269f1da0f1e8e89ccc3c5e013d1ddcc86df4ea8255f391c6110aba4848e5d3ddc0bd249e33d0c08f8b30f94d5c5784f113d078b22eb35419c0dd5c50471955e1e
-
Filesize
190B
MD5ad874c5a614b1e308f90eb07634856f2
SHA18f11593ebe1f13b872484c8f70b7a8fb9cc6f13d
SHA256c32d04213e45d1afc96a1e75d691f65073a71eeb4d4a6a17c49bad6f9c429a13
SHA512d84bebff46cf445d88ef5500e079193fe62478705e950cabd92ced39cf9d40fa4259a5b7742f3996352fde009c41625b1b1f08b692cece04450b9046da335533
-
Filesize
190B
MD5c88f17a288a8f15f121d2a4cdaf75e4d
SHA1d564337fc71bba99963c2413952a1fab101dac89
SHA2565504442b6003f03231bea48b21e4790050738642ab33d60eb12c16fa97c4a11b
SHA51217c4c4f5cd134b980456e1e06dbd42b830a7e9a40d466b6611c5c39f0af97121a92af0b210996bba4dea53783e407d64c5e2507214ca9c29576f35d623cbb4c0
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478