Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:35
Behavioral task
behavioral1
Sample
JaffaCakes118_fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe
-
Size
1.3MB
-
MD5
7e515e4b394a3a0b27c3f061dd0215ea
-
SHA1
c3be28953ce77ebc930c774d6ce5110a0696bd7d
-
SHA256
fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97
-
SHA512
85a563ed0ab056b5e1b720b9dd043c6b3e246a761f099e6dd3b79c0ccb64dada0f916ff7cbc4cd14cabac34941874e326d5aa9db317d2a77bf6b22aa164d2424
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1344 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 108 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2820 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x000700000001868b-9.dat dcrat behavioral1/memory/2660-13-0x0000000001060000-0x0000000001170000-memory.dmp dcrat behavioral1/memory/2076-278-0x0000000001310000-0x0000000001420000-memory.dmp dcrat behavioral1/memory/952-397-0x0000000000350000-0x0000000000460000-memory.dmp dcrat behavioral1/memory/2704-458-0x00000000003A0000-0x00000000004B0000-memory.dmp dcrat behavioral1/memory/536-516-0x0000000000200000-0x0000000000310000-memory.dmp dcrat behavioral1/memory/2676-573-0x0000000000930000-0x0000000000A40000-memory.dmp dcrat behavioral1/memory/1800-630-0x0000000000D70000-0x0000000000E80000-memory.dmp dcrat behavioral1/memory/584-687-0x00000000001A0000-0x00000000002B0000-memory.dmp dcrat behavioral1/memory/1760-744-0x00000000002E0000-0x00000000003F0000-memory.dmp dcrat behavioral1/memory/1504-802-0x0000000001350000-0x0000000001460000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 35 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2372 powershell.exe 1636 powershell.exe 2924 powershell.exe 2876 powershell.exe 1036 powershell.exe 380 powershell.exe 2028 powershell.exe 2500 powershell.exe 2648 powershell.exe 1608 powershell.exe 1944 powershell.exe 2740 powershell.exe 796 powershell.exe 596 powershell.exe 1704 powershell.exe 1144 powershell.exe 1144 powershell.exe 2640 powershell.exe 2704 powershell.exe 2948 powershell.exe 2688 powershell.exe 2964 powershell.exe 2860 powershell.exe 1312 powershell.exe 1924 powershell.exe 1440 powershell.exe 2012 powershell.exe 1720 powershell.exe 2724 powershell.exe 2072 powershell.exe 1696 powershell.exe 2428 powershell.exe 2420 powershell.exe 2164 powershell.exe 1556 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2660 DllCommonsvc.exe 1044 DllCommonsvc.exe 2260 DllCommonsvc.exe 2076 DllCommonsvc.exe 1612 DllCommonsvc.exe 952 DllCommonsvc.exe 2704 DllCommonsvc.exe 536 DllCommonsvc.exe 2676 DllCommonsvc.exe 1800 DllCommonsvc.exe 584 DllCommonsvc.exe 1760 DllCommonsvc.exe 1504 DllCommonsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2120 cmd.exe 2120 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 24 raw.githubusercontent.com 27 raw.githubusercontent.com 34 raw.githubusercontent.com 13 raw.githubusercontent.com 17 raw.githubusercontent.com 20 raw.githubusercontent.com 31 raw.githubusercontent.com -
Drops file in Program Files directory 23 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\e978f868350d50 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\powershell.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\de-DE\System.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Services\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\3a6fe29a7ceee6 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files\Internet Explorer\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\de-DE\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\audiodg.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Services\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\e978f868350d50 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\schtasks.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\csrss.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\886983d96e3d3e DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\winsxs\amd64_microsoft-windows-bootres.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3d85b71a70796e35\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\system\wininit.exe DllCommonsvc.exe File created C:\Windows\system\56085415360792 DllCommonsvc.exe File created C:\Windows\ModemLogs\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\ModemLogs\24dbde2999530e DllCommonsvc.exe File created C:\Windows\ShellNew\wininit.exe DllCommonsvc.exe File created C:\Windows\ShellNew\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1916 schtasks.exe 1012 schtasks.exe 1028 schtasks.exe 1344 schtasks.exe 1812 schtasks.exe 936 schtasks.exe 2572 schtasks.exe 2360 schtasks.exe 2460 schtasks.exe 1104 schtasks.exe 1684 schtasks.exe 3064 schtasks.exe 2184 schtasks.exe 2632 schtasks.exe 2032 schtasks.exe 1800 schtasks.exe 1736 schtasks.exe 2844 schtasks.exe 2272 schtasks.exe 964 schtasks.exe 1812 schtasks.exe 2848 schtasks.exe 2720 schtasks.exe 2892 schtasks.exe 1820 schtasks.exe 2740 schtasks.exe 2776 schtasks.exe 1492 schtasks.exe 2000 schtasks.exe 1656 schtasks.exe 1004 schtasks.exe 2440 schtasks.exe 2224 schtasks.exe 700 schtasks.exe 1716 schtasks.exe 1676 schtasks.exe 1368 schtasks.exe 2452 schtasks.exe 2268 schtasks.exe 1288 schtasks.exe 2648 schtasks.exe 2556 schtasks.exe 2728 schtasks.exe 2224 schtasks.exe 108 schtasks.exe 2832 schtasks.exe 1704 schtasks.exe 1980 schtasks.exe 276 schtasks.exe 2644 schtasks.exe 2632 schtasks.exe 2492 schtasks.exe 3056 schtasks.exe 896 schtasks.exe 3008 schtasks.exe 1288 schtasks.exe 1580 schtasks.exe 2368 schtasks.exe 2972 schtasks.exe 1628 schtasks.exe 2004 schtasks.exe 1992 schtasks.exe 2632 schtasks.exe 2896 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2660 DllCommonsvc.exe 1704 powershell.exe 1696 powershell.exe 796 powershell.exe 1036 powershell.exe 596 powershell.exe 1044 DllCommonsvc.exe 380 powershell.exe 2500 powershell.exe 1144 powershell.exe 2860 powershell.exe 1312 powershell.exe 2012 powershell.exe 2964 powershell.exe 2420 powershell.exe 2948 powershell.exe 2428 powershell.exe 2028 powershell.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2260 DllCommonsvc.exe 2876 powershell.exe 2372 powershell.exe 1440 powershell.exe 2648 powershell.exe 2924 powershell.exe 2640 powershell.exe 1556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2660 DllCommonsvc.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 796 powershell.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 596 powershell.exe Token: SeDebugPrivilege 1044 DllCommonsvc.exe Token: SeDebugPrivilege 380 powershell.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 2260 DllCommonsvc.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 1440 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2076 DllCommonsvc.exe Token: SeDebugPrivilege 1612 DllCommonsvc.exe Token: SeDebugPrivilege 952 DllCommonsvc.exe Token: SeDebugPrivilege 2704 DllCommonsvc.exe Token: SeDebugPrivilege 536 DllCommonsvc.exe Token: SeDebugPrivilege 2676 DllCommonsvc.exe Token: SeDebugPrivilege 1800 DllCommonsvc.exe Token: SeDebugPrivilege 584 DllCommonsvc.exe Token: SeDebugPrivilege 1760 DllCommonsvc.exe Token: SeDebugPrivilege 1504 DllCommonsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2004 2124 JaffaCakes118_fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe 31 PID 2124 wrote to memory of 2004 2124 JaffaCakes118_fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe 31 PID 2124 wrote to memory of 2004 2124 JaffaCakes118_fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe 31 PID 2124 wrote to memory of 2004 2124 JaffaCakes118_fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe 31 PID 2004 wrote to memory of 2120 2004 WScript.exe 32 PID 2004 wrote to memory of 2120 2004 WScript.exe 32 PID 2004 wrote to memory of 2120 2004 WScript.exe 32 PID 2004 wrote to memory of 2120 2004 WScript.exe 32 PID 2120 wrote to memory of 2660 2120 cmd.exe 34 PID 2120 wrote to memory of 2660 2120 cmd.exe 34 PID 2120 wrote to memory of 2660 2120 cmd.exe 34 PID 2120 wrote to memory of 2660 2120 cmd.exe 34 PID 2660 wrote to memory of 796 2660 DllCommonsvc.exe 48 PID 2660 wrote to memory of 796 2660 DllCommonsvc.exe 48 PID 2660 wrote to memory of 796 2660 DllCommonsvc.exe 48 PID 2660 wrote to memory of 1704 2660 DllCommonsvc.exe 49 PID 2660 wrote to memory of 1704 2660 DllCommonsvc.exe 49 PID 2660 wrote to memory of 1704 2660 DllCommonsvc.exe 49 PID 2660 wrote to memory of 596 2660 DllCommonsvc.exe 50 PID 2660 wrote to memory of 596 2660 DllCommonsvc.exe 50 PID 2660 wrote to memory of 596 2660 DllCommonsvc.exe 50 PID 2660 wrote to memory of 1696 2660 DllCommonsvc.exe 52 PID 2660 wrote to memory of 1696 2660 DllCommonsvc.exe 52 PID 2660 wrote to memory of 1696 2660 DllCommonsvc.exe 52 PID 2660 wrote to memory of 1036 2660 DllCommonsvc.exe 53 PID 2660 wrote to memory of 1036 2660 DllCommonsvc.exe 53 PID 2660 wrote to memory of 1036 2660 DllCommonsvc.exe 53 PID 2660 wrote to memory of 2752 2660 DllCommonsvc.exe 58 PID 2660 wrote to memory of 2752 2660 DllCommonsvc.exe 58 PID 2660 wrote to memory of 2752 2660 DllCommonsvc.exe 58 PID 2752 wrote to memory of 1600 2752 cmd.exe 60 PID 2752 wrote to memory of 1600 2752 cmd.exe 60 PID 2752 wrote to memory of 1600 2752 cmd.exe 60 PID 2752 wrote to memory of 1044 2752 cmd.exe 61 PID 2752 wrote to memory of 1044 2752 cmd.exe 61 PID 2752 wrote to memory of 1044 2752 cmd.exe 61 PID 1044 wrote to memory of 2500 1044 DllCommonsvc.exe 92 PID 1044 wrote to memory of 2500 1044 DllCommonsvc.exe 92 PID 1044 wrote to memory of 2500 1044 DllCommonsvc.exe 92 PID 1044 wrote to memory of 1312 1044 DllCommonsvc.exe 93 PID 1044 wrote to memory of 1312 1044 DllCommonsvc.exe 93 PID 1044 wrote to memory of 1312 1044 DllCommonsvc.exe 93 PID 1044 wrote to memory of 2860 1044 DllCommonsvc.exe 95 PID 1044 wrote to memory of 2860 1044 DllCommonsvc.exe 95 PID 1044 wrote to memory of 2860 1044 DllCommonsvc.exe 95 PID 1044 wrote to memory of 1144 1044 DllCommonsvc.exe 96 PID 1044 wrote to memory of 1144 1044 DllCommonsvc.exe 96 PID 1044 wrote to memory of 1144 1044 DllCommonsvc.exe 96 PID 1044 wrote to memory of 2028 1044 DllCommonsvc.exe 97 PID 1044 wrote to memory of 2028 1044 DllCommonsvc.exe 97 PID 1044 wrote to memory of 2028 1044 DllCommonsvc.exe 97 PID 1044 wrote to memory of 380 1044 DllCommonsvc.exe 98 PID 1044 wrote to memory of 380 1044 DllCommonsvc.exe 98 PID 1044 wrote to memory of 380 1044 DllCommonsvc.exe 98 PID 1044 wrote to memory of 2012 1044 DllCommonsvc.exe 100 PID 1044 wrote to memory of 2012 1044 DllCommonsvc.exe 100 PID 1044 wrote to memory of 2012 1044 DllCommonsvc.exe 100 PID 1044 wrote to memory of 2428 1044 DllCommonsvc.exe 102 PID 1044 wrote to memory of 2428 1044 DllCommonsvc.exe 102 PID 1044 wrote to memory of 2428 1044 DllCommonsvc.exe 102 PID 1044 wrote to memory of 2948 1044 DllCommonsvc.exe 103 PID 1044 wrote to memory of 2948 1044 DllCommonsvc.exe 103 PID 1044 wrote to memory of 2948 1044 DllCommonsvc.exe 103 PID 1044 wrote to memory of 2420 1044 DllCommonsvc.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zSoFCSTtdt.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1600
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\wininit.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\de-DE\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\meta\reader\audiodg.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\lsass.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\schtasks.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\powershell.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\powershell.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\powershell.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\schtasks.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\DllCommonsvc.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\WmiPrvSE.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\powershell.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j9C4kLBHxE.bat"8⤵PID:2980
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2800
-
-
C:\Users\Admin\Links\DllCommonsvc.exe"C:\Users\Admin\Links\DllCommonsvc.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"10⤵PID:536
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2128
-
-
C:\Users\Admin\Links\DllCommonsvc.exe"C:\Users\Admin\Links\DllCommonsvc.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"12⤵PID:2344
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:708
-
-
C:\Users\Admin\Links\DllCommonsvc.exe"C:\Users\Admin\Links\DllCommonsvc.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"14⤵PID:2428
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3024
-
-
C:\Users\Admin\Links\DllCommonsvc.exe"C:\Users\Admin\Links\DllCommonsvc.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"16⤵PID:2664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1148
-
-
C:\Users\Admin\Links\DllCommonsvc.exe"C:\Users\Admin\Links\DllCommonsvc.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"18⤵PID:908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2432
-
-
C:\Users\Admin\Links\DllCommonsvc.exe"C:\Users\Admin\Links\DllCommonsvc.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"20⤵PID:2692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2056
-
-
C:\Users\Admin\Links\DllCommonsvc.exe"C:\Users\Admin\Links\DllCommonsvc.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat"22⤵PID:648
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2372
-
-
C:\Users\Admin\Links\DllCommonsvc.exe"C:\Users\Admin\Links\DllCommonsvc.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"24⤵PID:2632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1920
-
-
C:\Users\Admin\Links\DllCommonsvc.exe"C:\Users\Admin\Links\DllCommonsvc.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"26⤵PID:2312
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2572
-
-
C:\Users\Admin\Links\DllCommonsvc.exe"C:\Users\Admin\Links\DllCommonsvc.exe"27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /f1⤵
- Process spawned unexpected child process
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\system\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\reader\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\reader\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\reader\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Contacts\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Contacts\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /f1⤵
- Process spawned unexpected child process
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\providercommon\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\powershell.exe'" /f1⤵
- Process spawned unexpected child process
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Public\Music\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\powershell.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f1⤵PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\schtasks.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\schtasks.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\schtasks.exe'" /rl HIGHEST /f1⤵PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\DllCommonsvc.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Links\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /f1⤵PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\powershell.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\powershell.exe'" /rl HIGHEST /f1⤵PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\powershell.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /f1⤵PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f1⤵PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d58ef5863f93a5aa74f9396a90fc9d22
SHA10f34a47e3e0496484c076077e861a6e73ae90b75
SHA2565a6d9f863f9599299f9373ef264fd028df47b4d588391b30f4288ec6c21c104d
SHA512017fec922cc2ce9fe276940bf01867fa378f31d5d93fe7362b759a7c36cf100f45fe034def1537fa1af536583b87bbca3e8a5c8209c57e53c01a843b5586253d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aab8ffcfdfe755ad1a883bca3ed1b876
SHA1f9a7f41a8b9a16bf164d42e5ac34909cac94b1f6
SHA256a3ad62fd684d5d8e35ea2851bb4372aa869393eba4958d0715920c02321bdf36
SHA5121cbd3679b7c1f3baa76968f7f55167025cfd4fae760ddc419e2e85cdc1c150dce8bbd6f97757ae6bdb04138a9dc1f3b6ce23ef5d4f61d1b38a32e1483bde274b
-
Filesize
202B
MD5d4f7a84e8cb6dfed53364a96879662ff
SHA1d28e8ae93fb926e178795790b5dd6c03916bca48
SHA25680d3bbbf7e193c4af8c3fa6a265c2dcfbba9a296db91a358c7fd71d47bb8c345
SHA512f8577f27d3d28c3a2a5e24e0ba702a59e852a589f23fcdcee8646ea41ab2eadc8ceec121c645abfa4f0607978bd98bb5eb8cb60c331a4fb2160e963cae72ad37
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
202B
MD5e1327ed8833a7f2287195d11860aa218
SHA15d7209a05483a4eb13de4b8698511460b00db23c
SHA256c28199fe823e36a6fd58f4d9cb43bd9ec0198228d1136ba1a6dc1b0846347535
SHA51271e34d37fc3cb5c74d09a9453eb371364e9bc427fdc343874513161492edb3e8f906dec90eecb51f09286920e1b9e6ffc5b4660bc47de9b4666a6421ea29b952
-
Filesize
202B
MD5b7b5f5bce77a375a51b2558321215f98
SHA1c2134a755d88a34793c2a595272453a97f9ceafc
SHA25694077059f89c5c8e5f536fcedb2d8c4311ad261032e0efdce6ad46bb943d3601
SHA512c0f9f42245800cd5d11636c249184409587767127bb7781b4dcc742657422a43e8c007b0a4a7e1eee002d97b9e26877b1f2e57455fead137df29f7900ba55c1b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
202B
MD5fd44b37fce364953fce7d16f3297ac53
SHA1540c9c9f0fa955ba441597460a37681f8268571b
SHA256fc4b0cafe2619b4181b56a46cc5fdf4c430a6da94c93653219c6e3faf13c0432
SHA5128a95a0bb759fbcb665ff23983b1f52bd6975c36c0c66cd1e810c72583fa9846d27c4ca71370bc841773e21c95fbbb3125dd7c52fb885f178afa27fd36afce379
-
Filesize
199B
MD5162372895978540278f2afec2bd77370
SHA18e4dcab9d383a2d77c24d6cf251fb3f5ec78bc1d
SHA256718dc96f3aec911b8a504e3e0c41cb0c29e54cace7a806d885ab83b0f8350d04
SHA5128c595d782fb49232e99c41c961906badef2af5b776eb89b38a51d0eee2608c1876c34d6bc82cd2aa6acd72fa99b215a817a626029f9997f4ecec09593f380479
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56e6b2f30916664d87d3c6d9d24990bce
SHA10aef0ca8225d3076a1275f1d16f992a7593bbb8a
SHA2565add1218df45908f619a9e078fbf219021e23335000ab73bdd30bed058996ed0
SHA5120218240fccea5f7233b56ee8c9707a270b8e24d1b3b03ede3a8b693459797c47ed443e0c35364ada9286ad5ab988e7524d6873ccffa55c2d4f8288c31d056934
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52eb5a7ed8722f9d506515cc552ca9749
SHA1ec87a5679767e798986796ca383445a01bae5172
SHA256b8fd70ffbb3bb111aa57fe1cf3a7318c12f957c4442a49454e8fa6b613de3ff6
SHA512e6c81be4c82ee8845d26d4d423759f23f64e4eb3339497d261ae7777fdd9e2e78236f29d2129914cf13de5f01182794b4a3e010ff19f6efb5194d782d8ec4f65
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
650B
MD5eed8c83075165851a28c92428b59dcff
SHA1382119360d908ad764b3bd741f3a14eb6c4ebb73
SHA25637b2a2122c31b51c4b1d35f0388a129a892c70327e5c568d1ea512b6a583394f
SHA512ac2c681596c65ca230b023cb83fc72584a2cd5e3f95270362d2ba1e15a607f9e23da3d22f5c0d44515ce7eb24f72b83db52591a504dde85315c9b03df08c94e6
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394