Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 20:07
Behavioral task
behavioral1
Sample
JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe
-
Size
1.3MB
-
MD5
44463f70262232632b8df6fe85bedaa6
-
SHA1
8d768325f168d80e73c473fa0379b2515913bbc4
-
SHA256
714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d
-
SHA512
b72eb57add3789d0932886e050ffb9b032d7ed5931b799d118ccc30d87108e10d06cb8a16c753a41521bee0d5b1c078cdbb5607c68bf87d0ccd823c900d664f8
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4368 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4704 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3136 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3908 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3696 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3884 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3424 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3264 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 3688 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4312 3688 schtasks.exe 94 -
resource yara_rule behavioral2/files/0x0007000000023ca8-9.dat dcrat behavioral2/memory/4968-13-0x00000000001C0000-0x00000000002D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4564 powershell.exe 5008 powershell.exe 1416 powershell.exe 4308 powershell.exe 1164 powershell.exe 640 powershell.exe 1492 powershell.exe 552 powershell.exe 3904 powershell.exe 3992 powershell.exe 2288 powershell.exe 4164 powershell.exe 1568 powershell.exe 4724 powershell.exe 4964 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe -
Executes dropped EXE 15 IoCs
pid Process 4968 DllCommonsvc.exe 3384 OfficeClickToRun.exe 2772 OfficeClickToRun.exe 1192 OfficeClickToRun.exe 4912 OfficeClickToRun.exe 4704 OfficeClickToRun.exe 1752 OfficeClickToRun.exe 3056 OfficeClickToRun.exe 3436 OfficeClickToRun.exe 4120 OfficeClickToRun.exe 4800 OfficeClickToRun.exe 1140 OfficeClickToRun.exe 4208 OfficeClickToRun.exe 4108 OfficeClickToRun.exe 4788 OfficeClickToRun.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 18 raw.githubusercontent.com 43 raw.githubusercontent.com 50 raw.githubusercontent.com 51 raw.githubusercontent.com 52 raw.githubusercontent.com 17 raw.githubusercontent.com 23 raw.githubusercontent.com 36 raw.githubusercontent.com 42 raw.githubusercontent.com 44 raw.githubusercontent.com 49 raw.githubusercontent.com 22 raw.githubusercontent.com 37 raw.githubusercontent.com 41 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\skins\fonts\38384e6a620884 DllCommonsvc.exe File created C:\Program Files\dotnet\shared\services.exe DllCommonsvc.exe File created C:\Program Files\dotnet\shared\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\sysmon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\121e5b5079f7c0 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\SearchApp.exe DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\PolicyDefinitions\es-ES\sihost.exe DllCommonsvc.exe File created C:\Windows\PolicyDefinitions\es-ES\66fc9ff0ee96c2 DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings DllCommonsvc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 912 schtasks.exe 812 schtasks.exe 2496 schtasks.exe 2880 schtasks.exe 1540 schtasks.exe 4876 schtasks.exe 384 schtasks.exe 5060 schtasks.exe 4608 schtasks.exe 4368 schtasks.exe 1936 schtasks.exe 4312 schtasks.exe 4056 schtasks.exe 3136 schtasks.exe 3908 schtasks.exe 4176 schtasks.exe 3408 schtasks.exe 3424 schtasks.exe 548 schtasks.exe 3252 schtasks.exe 3696 schtasks.exe 2792 schtasks.exe 4512 schtasks.exe 1704 schtasks.exe 3884 schtasks.exe 3668 schtasks.exe 3264 schtasks.exe 1980 schtasks.exe 4880 schtasks.exe 2912 schtasks.exe 4704 schtasks.exe 2188 schtasks.exe 884 schtasks.exe 2928 schtasks.exe 2432 schtasks.exe 2040 schtasks.exe 624 schtasks.exe 2376 schtasks.exe 684 schtasks.exe 1068 schtasks.exe 5100 schtasks.exe 2372 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4968 DllCommonsvc.exe 4968 DllCommonsvc.exe 4968 DllCommonsvc.exe 4968 DllCommonsvc.exe 4968 DllCommonsvc.exe 4968 DllCommonsvc.exe 4968 DllCommonsvc.exe 4968 DllCommonsvc.exe 4968 DllCommonsvc.exe 4968 DllCommonsvc.exe 4968 DllCommonsvc.exe 4968 DllCommonsvc.exe 4968 DllCommonsvc.exe 4964 powershell.exe 4964 powershell.exe 3992 powershell.exe 3992 powershell.exe 552 powershell.exe 552 powershell.exe 1568 powershell.exe 1568 powershell.exe 4164 powershell.exe 4164 powershell.exe 2288 powershell.exe 2288 powershell.exe 640 powershell.exe 640 powershell.exe 4308 powershell.exe 4308 powershell.exe 1492 powershell.exe 1492 powershell.exe 4724 powershell.exe 4724 powershell.exe 4564 powershell.exe 4564 powershell.exe 3904 powershell.exe 3904 powershell.exe 1164 powershell.exe 1164 powershell.exe 1416 powershell.exe 1416 powershell.exe 552 powershell.exe 4308 powershell.exe 3904 powershell.exe 5008 powershell.exe 5008 powershell.exe 4964 powershell.exe 4964 powershell.exe 1492 powershell.exe 1164 powershell.exe 3992 powershell.exe 640 powershell.exe 1568 powershell.exe 2288 powershell.exe 4164 powershell.exe 1416 powershell.exe 4564 powershell.exe 5008 powershell.exe 4724 powershell.exe 3384 OfficeClickToRun.exe 2772 OfficeClickToRun.exe 1192 OfficeClickToRun.exe 4912 OfficeClickToRun.exe 4704 OfficeClickToRun.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 4968 DllCommonsvc.exe Token: SeDebugPrivilege 4964 powershell.exe Token: SeDebugPrivilege 4308 powershell.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeDebugPrivilege 552 powershell.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 4164 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 640 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 4724 powershell.exe Token: SeDebugPrivilege 4564 powershell.exe Token: SeDebugPrivilege 3904 powershell.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 5008 powershell.exe Token: SeDebugPrivilege 3384 OfficeClickToRun.exe Token: SeDebugPrivilege 2772 OfficeClickToRun.exe Token: SeDebugPrivilege 1192 OfficeClickToRun.exe Token: SeDebugPrivilege 4912 OfficeClickToRun.exe Token: SeDebugPrivilege 4704 OfficeClickToRun.exe Token: SeDebugPrivilege 1752 OfficeClickToRun.exe Token: SeDebugPrivilege 3056 OfficeClickToRun.exe Token: SeDebugPrivilege 3436 OfficeClickToRun.exe Token: SeDebugPrivilege 4120 OfficeClickToRun.exe Token: SeDebugPrivilege 4800 OfficeClickToRun.exe Token: SeDebugPrivilege 1140 OfficeClickToRun.exe Token: SeDebugPrivilege 4208 OfficeClickToRun.exe Token: SeDebugPrivilege 4108 OfficeClickToRun.exe Token: SeDebugPrivilege 4788 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4936 wrote to memory of 920 4936 JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe 85 PID 4936 wrote to memory of 920 4936 JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe 85 PID 4936 wrote to memory of 920 4936 JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe 85 PID 920 wrote to memory of 3916 920 WScript.exe 89 PID 920 wrote to memory of 3916 920 WScript.exe 89 PID 920 wrote to memory of 3916 920 WScript.exe 89 PID 3916 wrote to memory of 4968 3916 cmd.exe 91 PID 3916 wrote to memory of 4968 3916 cmd.exe 91 PID 4968 wrote to memory of 5008 4968 DllCommonsvc.exe 137 PID 4968 wrote to memory of 5008 4968 DllCommonsvc.exe 137 PID 4968 wrote to memory of 4564 4968 DllCommonsvc.exe 138 PID 4968 wrote to memory of 4564 4968 DllCommonsvc.exe 138 PID 4968 wrote to memory of 1164 4968 DllCommonsvc.exe 139 PID 4968 wrote to memory of 1164 4968 DllCommonsvc.exe 139 PID 4968 wrote to memory of 640 4968 DllCommonsvc.exe 140 PID 4968 wrote to memory of 640 4968 DllCommonsvc.exe 140 PID 4968 wrote to memory of 1492 4968 DllCommonsvc.exe 141 PID 4968 wrote to memory of 1492 4968 DllCommonsvc.exe 141 PID 4968 wrote to memory of 552 4968 DllCommonsvc.exe 142 PID 4968 wrote to memory of 552 4968 DllCommonsvc.exe 142 PID 4968 wrote to memory of 4724 4968 DllCommonsvc.exe 143 PID 4968 wrote to memory of 4724 4968 DllCommonsvc.exe 143 PID 4968 wrote to memory of 3904 4968 DllCommonsvc.exe 144 PID 4968 wrote to memory of 3904 4968 DllCommonsvc.exe 144 PID 4968 wrote to memory of 1416 4968 DllCommonsvc.exe 145 PID 4968 wrote to memory of 1416 4968 DllCommonsvc.exe 145 PID 4968 wrote to memory of 3992 4968 DllCommonsvc.exe 146 PID 4968 wrote to memory of 3992 4968 DllCommonsvc.exe 146 PID 4968 wrote to memory of 4164 4968 DllCommonsvc.exe 147 PID 4968 wrote to memory of 4164 4968 DllCommonsvc.exe 147 PID 4968 wrote to memory of 4964 4968 DllCommonsvc.exe 148 PID 4968 wrote to memory of 4964 4968 DllCommonsvc.exe 148 PID 4968 wrote to memory of 2288 4968 DllCommonsvc.exe 149 PID 4968 wrote to memory of 2288 4968 DllCommonsvc.exe 149 PID 4968 wrote to memory of 1568 4968 DllCommonsvc.exe 150 PID 4968 wrote to memory of 1568 4968 DllCommonsvc.exe 150 PID 4968 wrote to memory of 4308 4968 DllCommonsvc.exe 151 PID 4968 wrote to memory of 4308 4968 DllCommonsvc.exe 151 PID 4968 wrote to memory of 1948 4968 DllCommonsvc.exe 166 PID 4968 wrote to memory of 1948 4968 DllCommonsvc.exe 166 PID 1948 wrote to memory of 2372 1948 cmd.exe 169 PID 1948 wrote to memory of 2372 1948 cmd.exe 169 PID 1948 wrote to memory of 3384 1948 cmd.exe 176 PID 1948 wrote to memory of 3384 1948 cmd.exe 176 PID 3384 wrote to memory of 2976 3384 OfficeClickToRun.exe 178 PID 3384 wrote to memory of 2976 3384 OfficeClickToRun.exe 178 PID 2976 wrote to memory of 4996 2976 cmd.exe 180 PID 2976 wrote to memory of 4996 2976 cmd.exe 180 PID 2976 wrote to memory of 2772 2976 cmd.exe 182 PID 2976 wrote to memory of 2772 2976 cmd.exe 182 PID 2772 wrote to memory of 4104 2772 OfficeClickToRun.exe 184 PID 2772 wrote to memory of 4104 2772 OfficeClickToRun.exe 184 PID 4104 wrote to memory of 4808 4104 cmd.exe 186 PID 4104 wrote to memory of 4808 4104 cmd.exe 186 PID 4104 wrote to memory of 1192 4104 cmd.exe 188 PID 4104 wrote to memory of 1192 4104 cmd.exe 188 PID 1192 wrote to memory of 4120 1192 OfficeClickToRun.exe 192 PID 1192 wrote to memory of 4120 1192 OfficeClickToRun.exe 192 PID 4120 wrote to memory of 4936 4120 cmd.exe 194 PID 4120 wrote to memory of 4936 4120 cmd.exe 194 PID 4120 wrote to memory of 4912 4120 cmd.exe 197 PID 4120 wrote to memory of 4912 4120 cmd.exe 197 PID 4912 wrote to memory of 4244 4912 OfficeClickToRun.exe 199 PID 4912 wrote to memory of 4244 4912 OfficeClickToRun.exe 199 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\es-ES\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\shared\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fonts\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jqfsKFRtQc.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2372
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4996
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:4808
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:4936
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"13⤵PID:4244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1588
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"15⤵PID:3344
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2332
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"17⤵PID:4100
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:4740
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"19⤵PID:2552
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:720
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat"21⤵PID:4576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:4148
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"23⤵PID:380
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:4892
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"25⤵PID:4644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:3764
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"27⤵PID:4556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4740
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"29⤵PID:2880
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:4580
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat"31⤵PID:3680
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:1280
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\es-ES\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\es-ES\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\shared\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Default\My Documents\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\My Documents\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Default\My Documents\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
207B
MD5d6768ed6ec5a1613551bd4c95b72d9f2
SHA1adce47d8d6da4f3227ebfb247636acfd9aac6ec5
SHA256c9c643c38e6f0913cc5fc1918942b742424c0944ddb68ae7d7bf6c4c0903bc8a
SHA512ccec89e8aa516eb63d0451e2e0bcca3643d79ad65decf8f3bc2b973b341c2e031d17ec470011d0c752236e002dc51c80b053c66a8c73cfe255bec4ded001df9b
-
Filesize
207B
MD5f694b283c2446f4790527babf5b2cba4
SHA17509fde03d722f0c61b69e47130e89ea49a32177
SHA256b369254f8886fa19e0c39b098e7afe0546bdfdb5d6c383ed2a6f224002bc899b
SHA512d9e8c07fbc76e6b6a273770328d6979ddc4b151bfcacd802293ad9c526c9de06d807e5b32bb86715492aa21949892c0960b6c772b7855049846aca25c8789021
-
Filesize
207B
MD55a467cd6a37e14c026195493999406cc
SHA1c2f45f739228ea7f4314c189d017e52f6bc56881
SHA256c0f23fa19e571a45a82194364866a4bf5b7e3a0c08aa26527a70dbfb4e117120
SHA51265787b50f8bd79759959bde790c16dcdf8dd99f190950c71b0012096056e4b951d28e58d7d4ae4e753117917ac89047b6cbcffc620a19fae4d4b0a6baf42af45
-
Filesize
207B
MD5f51654c01ffff901a43f38d5a5462ee4
SHA13f145fec15c92e05b33703360af15275e961753b
SHA256747e89784a9c4b0dfcde36dbb185c9e35aaeedb3c51ab5517a6f83899243170d
SHA512f7392c6c6973c5e1f0814790fb4d1ec3277803ad96e068937cf11625dfc01aa8ae2d4c70ab9b9374c8bdbc6a9b9c081193dca58783786153fcf2669d9e580221
-
Filesize
207B
MD5b083aee5b85d9c000b165ed7ee7fb6b9
SHA109b7c30c433ced622cd2a6e29d13a4e943003f44
SHA256756ffefb9e2a0a6f5ff0c3851fb2a835bc635d117c0b5312b0d6ddaf067d32a6
SHA512f237946df4f8b8bce1bc91dbe9c5eb59b05b06d6dc8005a4853f3b682e53f23c1762ea0a0e92da1ad3fb019254ecefddf38593d212937b4e88c9f877268cc08b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
207B
MD5e3bcde402154c0c125d886657d8077ca
SHA17364e4b0b82fb66b250753f8f6621e0c85b78db2
SHA25651923ed2a9b4a756c8024702d1b619e918f1c21a72c8b44c3a89cd3fd48387f4
SHA5129648bdd9f1e0039538563888b8ae57af10deacc62e2ccb61754888376e2046410ca0ccb0f5c34a0bc5eb1c02e50d249d3e27e68f8f8aff9f300141e8877034fb
-
Filesize
207B
MD572680b49285fe7cde2eea5ba996a4e87
SHA122f331ea1769a1e6b2006f32affcf6535790a7c7
SHA25667bfe04bed8c70a67f9592d7db484611cbf3070f6ea7c4c42140838eb54408d8
SHA512da1f8c83f5cfd423e97fa484cbb40982f1e775d70f56273e54fb6fd426ff067ce10f28f8400d0b3e68bb7e2e130bdbf83870966bbcf26082a41f22e2bbf42cb9
-
Filesize
207B
MD5e9ad2879f1a1dd6d3b3592e66f93e633
SHA150a4ee78130b1feca69987b1513bd6e24359e4ef
SHA2563f7d0f2af1990711ac4fd79f7ed122a6243759e486299f4ff7da5cb39ba25d88
SHA512780472600f69f17c9b2f1e9388cf352ae7f992c44f123fad7e79540713f3f776ec85098f8eee0ef0058f7487210fca30cc3b0b27081ee5f02c69abeb1fa21bdf
-
Filesize
207B
MD55a2c4629ff1d43def21cd71ae9589220
SHA1756fe8377f95471dd156161e9ee4071584178966
SHA25653339beb6190f997e88125813a55de69dd6dfe07c037f5a5f4475ae8b43da048
SHA512f5b136862868483003caf7b24946022d1ea3d84fd01ab1f29293dfe4738540e60b6a203ee348654c5e9880e9e326a19100f40ac217258419bcd00714ddc2fdbc
-
Filesize
207B
MD594b08ecd572beea5eb030af37ac5d9d6
SHA118f0c626fe65739e475e5957a61e2796a5d97b8c
SHA2567519d43d8f23319e955263f9d871470a9f0bd518d776d982809e13740dcfd16f
SHA5120fe0ce39acdc84792fcfb5d21c7fbeb501c178cda188db0df53df195ae9743783ddeeb824233630c3157a921d67b7eee24f1e64516e9d78d17f85f4eb6c2ebdb
-
Filesize
207B
MD57b62ec1453cfbc08041144165d6316e5
SHA1e421dc1d98a6afe8184f787fba4ad3afd1cf1270
SHA2564da5372a411d21bfb48682c295cef535f2ee009d5fd06ca63f72f8a7fa612f86
SHA5124945db4b8ae8b8b7f0b2423413e47d6cdc5a1fc60b455fe572254532c9cf2e72cce158b0685b51422ed04dbc5bb40a31dbc7891ddcade268ac52aba558d93c1d
-
Filesize
207B
MD51e35cf143c5288ce90635616af4c9b53
SHA15b6f2d561e07920fb700b8bb0c6dcc443f1849c1
SHA256a6b9ff41ded9aad11431bc13f66800ef73f34756906736aced8b602308911957
SHA512997551d3b4dbdff1f5d95691cf9d15e878c4672db0999f7c084ed9b4dbfd6f3efcdd96f788bf9b441c1acba23c2f9fc59356c2980db85f7092b0e14bb8f7ba8e
-
Filesize
207B
MD58946cf10e6141ae2ce09761ee7fcfdf8
SHA1d0a53327924e0bce5898c19f6cfd8452d39d99d9
SHA256fcf80da6738f7242320938475961ca2925ec0d0c1b1adff0112bd4a509ba76ea
SHA5123a81db958d6d8d60a6bf7439b4224f91e906b2f04b1959ab05084623452cff78858e68b6e340ceaeefbd5b1204d0cd61df77fda3009d1ab593e3d11b81eda82f
-
Filesize
207B
MD5678ba90d0f6c7790325ccbc777a3e9c5
SHA1a9dd568590d972ed549e9efc729e8db4fc95f89a
SHA2562defa7f7cddd2cc95986551562a97801304d89b6a902d71c136b1792b1ad3ba7
SHA512fb2de6fd590fdd224463ec0cf1758623c97b8809b09420aba140b8cd3d5388920f43bfe4c8a0fc145d3656d601672b9784f58300358bf919b181ea58b5106fd6
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478