Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 21:21
Behavioral task
behavioral1
Sample
JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe
-
Size
1.3MB
-
MD5
3b2f49271a249736b26e909d0709b0b7
-
SHA1
09be02d46117068a2ec875a97a05664fcb73f408
-
SHA256
906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0
-
SHA512
5944e1fb52b02a5ddaf84de47a3bf30c4178270ce0a61914b29020876ecfab6ec28411dfa15e0bff85ef227061c5f690a3c6635072aed28cda9dd69a041e0a5c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 732 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3512 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4852 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4732 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 436 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5064 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3868 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3264 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4532 3672 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 3672 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x0008000000023bf9-10.dat dcrat behavioral2/memory/2944-13-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 392 powershell.exe 1288 powershell.exe 3880 powershell.exe 4900 powershell.exe 1124 powershell.exe 3588 powershell.exe 3784 powershell.exe 4236 powershell.exe 1120 powershell.exe 4800 powershell.exe 5084 powershell.exe 3300 powershell.exe 4004 powershell.exe 412 powershell.exe 736 powershell.exe 1904 powershell.exe 3676 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation winlogon.exe -
Executes dropped EXE 14 IoCs
pid Process 2944 DllCommonsvc.exe 2148 winlogon.exe 532 winlogon.exe 1000 winlogon.exe 5064 winlogon.exe 2160 winlogon.exe 3832 winlogon.exe 624 winlogon.exe 3884 winlogon.exe 1680 winlogon.exe 4040 winlogon.exe 4652 winlogon.exe 5084 winlogon.exe 5008 winlogon.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 21 raw.githubusercontent.com 38 raw.githubusercontent.com 45 raw.githubusercontent.com 22 raw.githubusercontent.com 39 raw.githubusercontent.com 54 raw.githubusercontent.com 55 raw.githubusercontent.com 44 raw.githubusercontent.com 52 raw.githubusercontent.com 56 raw.githubusercontent.com 37 raw.githubusercontent.com 40 raw.githubusercontent.com 53 raw.githubusercontent.com 57 raw.githubusercontent.com -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\MSBuild\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\MSBuild\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\en-US\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\en-US\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\explorer.exe DllCommonsvc.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\explorer.exe DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Sun\Java\Deployment\sysmon.exe DllCommonsvc.exe File created C:\Windows\Sun\Java\Deployment\121e5b5079f7c0 DllCommonsvc.exe File created C:\Windows\Offline Web Pages\sppsvc.exe DllCommonsvc.exe File created C:\Windows\Offline Web Pages\0a1fd5f707cd16 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings winlogon.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4692 schtasks.exe 732 schtasks.exe 468 schtasks.exe 4580 schtasks.exe 4316 schtasks.exe 1264 schtasks.exe 3244 schtasks.exe 5072 schtasks.exe 436 schtasks.exe 3868 schtasks.exe 2780 schtasks.exe 3656 schtasks.exe 2620 schtasks.exe 3720 schtasks.exe 3308 schtasks.exe 316 schtasks.exe 2892 schtasks.exe 2188 schtasks.exe 4532 schtasks.exe 2932 schtasks.exe 2020 schtasks.exe 4912 schtasks.exe 216 schtasks.exe 4732 schtasks.exe 4444 schtasks.exe 1860 schtasks.exe 2848 schtasks.exe 3960 schtasks.exe 1548 schtasks.exe 3264 schtasks.exe 1212 schtasks.exe 2124 schtasks.exe 4724 schtasks.exe 2900 schtasks.exe 2876 schtasks.exe 1668 schtasks.exe 776 schtasks.exe 944 schtasks.exe 1928 schtasks.exe 4936 schtasks.exe 4844 schtasks.exe 3752 schtasks.exe 3512 schtasks.exe 4852 schtasks.exe 5064 schtasks.exe 1372 schtasks.exe 2156 schtasks.exe 1188 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 2944 DllCommonsvc.exe 412 powershell.exe 412 powershell.exe 3588 powershell.exe 3588 powershell.exe 3784 powershell.exe 3784 powershell.exe 4800 powershell.exe 4800 powershell.exe 4900 powershell.exe 4900 powershell.exe 736 powershell.exe 736 powershell.exe 5084 powershell.exe 5084 powershell.exe 1124 powershell.exe 1124 powershell.exe 1120 powershell.exe 1120 powershell.exe 3676 powershell.exe 3676 powershell.exe 1288 powershell.exe 1288 powershell.exe 392 powershell.exe 392 powershell.exe 4236 powershell.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2944 DllCommonsvc.exe Token: SeDebugPrivilege 412 powershell.exe Token: SeDebugPrivilege 3588 powershell.exe Token: SeDebugPrivilege 3784 powershell.exe Token: SeDebugPrivilege 4800 powershell.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeDebugPrivilege 4004 powershell.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeDebugPrivilege 5084 powershell.exe Token: SeDebugPrivilege 736 powershell.exe Token: SeDebugPrivilege 1120 powershell.exe Token: SeDebugPrivilege 392 powershell.exe Token: SeDebugPrivilege 3676 powershell.exe Token: SeDebugPrivilege 1288 powershell.exe Token: SeDebugPrivilege 4236 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 3880 powershell.exe Token: SeDebugPrivilege 3300 powershell.exe Token: SeDebugPrivilege 2148 winlogon.exe Token: SeDebugPrivilege 532 winlogon.exe Token: SeDebugPrivilege 1000 winlogon.exe Token: SeDebugPrivilege 5064 winlogon.exe Token: SeDebugPrivilege 2160 winlogon.exe Token: SeDebugPrivilege 3832 winlogon.exe Token: SeDebugPrivilege 624 winlogon.exe Token: SeDebugPrivilege 3884 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 4040 winlogon.exe Token: SeDebugPrivilege 4652 winlogon.exe Token: SeDebugPrivilege 5084 winlogon.exe Token: SeDebugPrivilege 5008 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 512 wrote to memory of 4796 512 JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe 82 PID 512 wrote to memory of 4796 512 JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe 82 PID 512 wrote to memory of 4796 512 JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe 82 PID 4796 wrote to memory of 5040 4796 WScript.exe 83 PID 4796 wrote to memory of 5040 4796 WScript.exe 83 PID 4796 wrote to memory of 5040 4796 WScript.exe 83 PID 5040 wrote to memory of 2944 5040 cmd.exe 85 PID 5040 wrote to memory of 2944 5040 cmd.exe 85 PID 2944 wrote to memory of 1124 2944 DllCommonsvc.exe 135 PID 2944 wrote to memory of 1124 2944 DllCommonsvc.exe 135 PID 2944 wrote to memory of 3588 2944 DllCommonsvc.exe 136 PID 2944 wrote to memory of 3588 2944 DllCommonsvc.exe 136 PID 2944 wrote to memory of 736 2944 DllCommonsvc.exe 137 PID 2944 wrote to memory of 736 2944 DllCommonsvc.exe 137 PID 2944 wrote to memory of 4900 2944 DllCommonsvc.exe 138 PID 2944 wrote to memory of 4900 2944 DllCommonsvc.exe 138 PID 2944 wrote to memory of 1288 2944 DllCommonsvc.exe 139 PID 2944 wrote to memory of 1288 2944 DllCommonsvc.exe 139 PID 2944 wrote to memory of 3676 2944 DllCommonsvc.exe 140 PID 2944 wrote to memory of 3676 2944 DllCommonsvc.exe 140 PID 2944 wrote to memory of 412 2944 DllCommonsvc.exe 141 PID 2944 wrote to memory of 412 2944 DllCommonsvc.exe 141 PID 2944 wrote to memory of 4236 2944 DllCommonsvc.exe 142 PID 2944 wrote to memory of 4236 2944 DllCommonsvc.exe 142 PID 2944 wrote to memory of 3784 2944 DllCommonsvc.exe 143 PID 2944 wrote to memory of 3784 2944 DllCommonsvc.exe 143 PID 2944 wrote to memory of 5084 2944 DllCommonsvc.exe 144 PID 2944 wrote to memory of 5084 2944 DllCommonsvc.exe 144 PID 2944 wrote to memory of 1904 2944 DllCommonsvc.exe 145 PID 2944 wrote to memory of 1904 2944 DllCommonsvc.exe 145 PID 2944 wrote to memory of 3880 2944 DllCommonsvc.exe 146 PID 2944 wrote to memory of 3880 2944 DllCommonsvc.exe 146 PID 2944 wrote to memory of 392 2944 DllCommonsvc.exe 147 PID 2944 wrote to memory of 392 2944 DllCommonsvc.exe 147 PID 2944 wrote to memory of 4800 2944 DllCommonsvc.exe 148 PID 2944 wrote to memory of 4800 2944 DllCommonsvc.exe 148 PID 2944 wrote to memory of 4004 2944 DllCommonsvc.exe 149 PID 2944 wrote to memory of 4004 2944 DllCommonsvc.exe 149 PID 2944 wrote to memory of 1120 2944 DllCommonsvc.exe 150 PID 2944 wrote to memory of 1120 2944 DllCommonsvc.exe 150 PID 2944 wrote to memory of 3300 2944 DllCommonsvc.exe 151 PID 2944 wrote to memory of 3300 2944 DllCommonsvc.exe 151 PID 2944 wrote to memory of 4584 2944 DllCommonsvc.exe 169 PID 2944 wrote to memory of 4584 2944 DllCommonsvc.exe 169 PID 4584 wrote to memory of 2860 4584 cmd.exe 171 PID 4584 wrote to memory of 2860 4584 cmd.exe 171 PID 4584 wrote to memory of 2148 4584 cmd.exe 175 PID 4584 wrote to memory of 2148 4584 cmd.exe 175 PID 2148 wrote to memory of 3264 2148 winlogon.exe 179 PID 2148 wrote to memory of 3264 2148 winlogon.exe 179 PID 3264 wrote to memory of 2064 3264 cmd.exe 181 PID 3264 wrote to memory of 2064 3264 cmd.exe 181 PID 3264 wrote to memory of 532 3264 cmd.exe 182 PID 3264 wrote to memory of 532 3264 cmd.exe 182 PID 532 wrote to memory of 1820 532 winlogon.exe 185 PID 532 wrote to memory of 1820 532 winlogon.exe 185 PID 1820 wrote to memory of 4336 1820 cmd.exe 187 PID 1820 wrote to memory of 4336 1820 cmd.exe 187 PID 1820 wrote to memory of 1000 1820 cmd.exe 188 PID 1820 wrote to memory of 1000 1820 cmd.exe 188 PID 1000 wrote to memory of 3060 1000 winlogon.exe 189 PID 1000 wrote to memory of 3060 1000 winlogon.exe 189 PID 3060 wrote to memory of 980 3060 cmd.exe 191 PID 3060 wrote to memory of 980 3060 cmd.exe 191 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_906917d2c4c796abf6ebf5371c4f2e82eaba54631370ee9b3824f296ddc253f0.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\en-US\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Sun\Java\Deployment\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\ssh\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nOXMgtbINX.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2860
-
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2064
-
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:4336
-
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:980
-
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"13⤵PID:1888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:4520
-
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"15⤵PID:4296
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3132
-
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"17⤵PID:1368
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1732
-
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"19⤵PID:2140
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:4808
-
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat"21⤵PID:2392
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2904
-
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"23⤵PID:5068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1352
-
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"25⤵PID:4848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2016
-
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"27⤵PID:2312
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4832
-
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"29⤵PID:824
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:3376
-
-
C:\Users\Default User\winlogon.exe"C:\Users\Default User\winlogon.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"31⤵PID:2032
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:4756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\Deployment\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\ssh\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\ssh\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\ssh\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD522fbec4acba323d04079a263526cef3c
SHA1eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
120B
MD5d880eb32227ec8b4dc9f4c3c07030c8a
SHA196fb1579ea3fad14d856c1d444dcf0958dc28019
SHA2569c64cc23874bcd11b4888e153881ed08da7b8575b01d6709b9b57b677b95a631
SHA512cd5070b8d80d7407ccbecd9a0e8d0a81b23485304318d5174b39d90aa0c4d16ce4b380d4d37bd38be027428d9fb89a5c0677fb2b93f443347bc682493b94f880
-
Filesize
199B
MD51a98116fc655ee0d7fabe04d08bb62db
SHA12ec7be140a8286ec880fc4a60a1c4685a798ea99
SHA25601e33320cfd92173a3c6e44176a1765986e91ad207c1fcac8df89fb21ce0f0f0
SHA512a07b3dab340b1d36c2ffcf970fe7eb9863102f19211b8d8999cb5b0c34eaf9d6075570f6b842c9380c9b72177ef57a9692c993b66ab8fed910a3b2cc61806641
-
Filesize
199B
MD54cc93fd39c42deb6aa3dbbad4ff9adf6
SHA19a9f08179a35e90007e20b8a7de057c32a525420
SHA256923c46d1fbf34bb178ae797a3c6dbc11858c5a6ada539674ca71ddb88f0c5050
SHA512f7d712b3d0d06f3338c4e89ff3c0aaec8562963b7004b6fa17793c2dda20eda308c9a0cdec78cbd26ee69fb418c65ef55adcb1189e75c58a7580f65ffcbd6ac7
-
Filesize
199B
MD5984f6da126903dbac00d857185653ab6
SHA188909160c440e601f25b79f2796fd92971a92fab
SHA256c2c79ad2daa3578812c768c69b8ade7d22eab50f472a395f235d73b387b970e0
SHA512e817b7dd7753cf6816e57f54206a73705b9c2aa9cd7aef85838c3576b5469d77ebb61b69f508a1e68402bb58f8557d896278a6e6a4f98ce2d5d3da19f7a64d55
-
Filesize
199B
MD50db64d5597c0ea7227a74d79321b4a7f
SHA1718c6e6dd74934a947b2fc9c6875b5a95b90e675
SHA256ba04917baf5577e60a86cb4c92922cbb809afe105e712022f00b73e7161f1703
SHA5125c02d25c951f489e12509664eb01faeae49323df118ef500c576c498baef4200fdf8cf01dee9dc088c05207d8647591117b160a6aa7c922b64179d722a114bdc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
199B
MD51017922763f300c4f153bd527b6b3412
SHA1aaccac15a8b6c1a3c11687f530da71d4943c19f3
SHA256351b2cdd0d3ff7723d7e38b0c38081b9e98674577bea53c92ea1ef9c62672ad2
SHA512f40e2621a761f481a07dee04430c5bc93b2d14a388328cde882ad8ede1a021c6242c0915ffb97afa874a56a65d9b3494c540658bc3ea4f5acf82a3be7693ebef
-
Filesize
199B
MD5d07be5754ee4bc02d704fd0d4533e2f8
SHA1916c8e9872651c9124e72dddba7902bdc4345ea4
SHA256b8b0410196603f61a4265c48b2718dfbb61a5207976015c2c6fb0c6106af3144
SHA512be1896fe7416a7725319d892b63f6e042eae50feae554becc63c934bedd95db36d25ba5e273adc552791ae65bd4d2761a0eda9e0c246c5d92e9659a04ab11f9c
-
Filesize
199B
MD5ecc15e93be0b53703bff29fdc3a586ab
SHA1c060bed0e395793468c38e14b6281dee3d06905f
SHA25688e5614c96c780f1b45363ebb64af4d20c4d39e1227a36d120af2d4972e53d2c
SHA5127eb979f6b53d6bcb9f4ca748390ec5f771c50f283e09ec3da2d32733f006a166b766eeb491f6ed63d49df8dd860f17c0241dbd5df035b5aae1caf68147b4efd9
-
Filesize
199B
MD53fbbc25b45e240dcc9f1564c8f3b2d11
SHA15e36b73fa7ed832c1612d1beabedff89560257aa
SHA256db748f48cf35a5c3b5b584d73521bf8e6354dd1cefa16270709506e997421d50
SHA5128be029593533ff4d4f3b58a58e441aae2ad1d003ea4d990ea79a72fc7106cc94795bf5143f98a733d104704c959322f08b19eaffad36d1d9688e05c8c18eaf28
-
Filesize
199B
MD50a830dee36402daaeca4cfbbfad5d7e3
SHA165665eb58dc405e8d361419ea13b4e36aba1f3a5
SHA256fd3cab42ca4bffa702428473809af8142965e311f3ead2d58fbd9c1d57b92aee
SHA51220516269710afb59c4fce07a425e8cf0519a21503a8b30da44d467d8115e7ebced56c926fed8d0503a18cd6471f98225b9df3e8a8e191f4c1e0119cd0472bf33
-
Filesize
199B
MD51991f6d0932d88c035a78b2bdf2f42d2
SHA1e29e6ad72f1c98efbc18c9c4a22a6b8b2859d801
SHA25685b5c544761dc0987444cded8a9abb43c6b703c75131def0fc4a5c78c5f2b0f2
SHA51232fbda1e6d5335ef49099fdfede62679ee79b11a4cf0670917625102fd66c31ed164dc79ed8126b617d23efcd99cb2e50d89a92cf9fef00dd834e13357a2c981
-
Filesize
199B
MD572ecd4be70304a94b5df7b55467bd281
SHA152f4f14b437b88eca1123ef4c1565bd2af1af9d3
SHA256a653aca6b6a41f8d4f2a53d618d4127b019cc8706f5d58395600fb00cb8dea8b
SHA512e3259f2f5dc3fbf5a191cd810ab36f95ebc1b0d8433db1351c6436a03076da51cd2f8c01d124636ae0ad176e6a8156bdcf54974360635f90fd02c8d05c4f36fb
-
Filesize
199B
MD5eaf07df0841789bb83bac01745907b8b
SHA18c109551df6f6b6f2354a82ba5f879b1ef28e06d
SHA2564433531b54c6bd8326d23de0eea1f252b9b4879524494805491e0112793815fc
SHA5121b9d49cadfb3cc30a7dc12fdc1827e4dfc5f3886250c96fa11d6ce854c8d1bb6e47e1e868b9bbfe1621d9e23c299cc21aae03d395c63724d4ee0809635df98da
-
Filesize
199B
MD5113862040a0b4c52e27db6e0f8cd26fd
SHA1c1f59c40ec2856508d4bfde47aa36ca4c07f4c28
SHA256a844848a8a03374ae74e13605e33f8a43e91dd139777b0a800b3bd82279c8cd1
SHA51203314b7a7e1e3beb94597cc5eaf97bcfe1a7c11c6338e377ee7659d733a9c149315414cc8b3ae6786bd83dbfcbbc3861bc1adb5cdd41c416858ba8fb36843c9f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478