Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 01:07
Behavioral task
behavioral1
Sample
JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe
-
Size
1.3MB
-
MD5
a06e55cfbc590b07f316d25f18d305f5
-
SHA1
86830bcf1c150c58e43b784fc4f90eed9ffb24d3
-
SHA256
fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec
-
SHA512
2f0b90eea05c0d48bcd5f8ce89e9e2b341ce1e7c758a307fc380a9bbdd37d39482ad4b6f7d7b88c549d19474e232bc309ff2f4b07edafac0ed9edd7e12ee392a
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3296 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 824 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3448 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3220 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3572 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4332 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4028 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3556 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3300 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3992 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3632 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3732 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 564 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3524 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3716 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3740 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4332 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3616 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3296 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2208 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2208 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x000a000000023b69-10.dat dcrat behavioral2/memory/3468-13-0x0000000000E20000-0x0000000000F30000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4280 powershell.exe 3860 powershell.exe 3480 powershell.exe 1536 powershell.exe 4088 powershell.exe 3180 powershell.exe 4104 powershell.exe 5008 powershell.exe 4860 powershell.exe 2272 powershell.exe 1052 powershell.exe 216 powershell.exe 1512 powershell.exe 1516 powershell.exe 2420 powershell.exe 2276 powershell.exe 892 powershell.exe 4472 powershell.exe 4196 powershell.exe 1660 powershell.exe 1448 powershell.exe 2588 powershell.exe 4072 powershell.exe 2140 powershell.exe 2720 powershell.exe 4452 powershell.exe 3840 powershell.exe 2236 powershell.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe -
Executes dropped EXE 16 IoCs
pid Process 3468 DllCommonsvc.exe 2560 DllCommonsvc.exe 2308 System.exe 676 System.exe 444 System.exe 892 System.exe 3340 System.exe 1492 System.exe 1412 System.exe 3576 System.exe 2092 System.exe 2708 System.exe 3476 System.exe 4088 System.exe 3300 System.exe 2292 System.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 18 raw.githubusercontent.com 39 raw.githubusercontent.com 43 raw.githubusercontent.com 55 raw.githubusercontent.com 17 raw.githubusercontent.com 45 raw.githubusercontent.com 50 raw.githubusercontent.com 52 raw.githubusercontent.com 54 raw.githubusercontent.com 25 raw.githubusercontent.com 40 raw.githubusercontent.com 44 raw.githubusercontent.com 51 raw.githubusercontent.com 53 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\RedistList\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\services.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe DllCommonsvc.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File created C:\Windows\tracing\22eafd247d37c3 DllCommonsvc.exe File created C:\Windows\Logs\HomeGroup\services.exe DllCommonsvc.exe File created C:\Windows\Logs\HomeGroup\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Windows\tracing\fontdrvhost.exe DllCommonsvc.exe File created C:\Windows\appcompat\encapsulation\56085415360792 DllCommonsvc.exe File created C:\Windows\AppReadiness\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Windows\tracing\5b884080fd4f94 DllCommonsvc.exe File created C:\Windows\appcompat\encapsulation\wininit.exe DllCommonsvc.exe File created C:\Windows\RemotePackages\StartMenuExperienceHost.exe DllCommonsvc.exe File created C:\Windows\RemotePackages\55b276f4edf653 DllCommonsvc.exe File created C:\Windows\DiagTrack\Scenarios\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\tracing\TextInputHost.exe DllCommonsvc.exe File created C:\Windows\AppReadiness\RuntimeBroker.exe DllCommonsvc.exe File created C:\Windows\DiagTrack\Scenarios\csrss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2308 schtasks.exe 824 schtasks.exe 4332 schtasks.exe 2964 schtasks.exe 1720 schtasks.exe 1512 schtasks.exe 2092 schtasks.exe 3220 schtasks.exe 1696 schtasks.exe 3740 schtasks.exe 4224 schtasks.exe 2152 schtasks.exe 4504 schtasks.exe 3556 schtasks.exe 3732 schtasks.exe 1980 schtasks.exe 4632 schtasks.exe 2416 schtasks.exe 2884 schtasks.exe 2952 schtasks.exe 3632 schtasks.exe 4252 schtasks.exe 3616 schtasks.exe 2664 schtasks.exe 1952 schtasks.exe 1484 schtasks.exe 1892 schtasks.exe 1576 schtasks.exe 676 schtasks.exe 1896 schtasks.exe 4332 schtasks.exe 1576 schtasks.exe 2804 schtasks.exe 4464 schtasks.exe 4780 schtasks.exe 3524 schtasks.exe 4944 schtasks.exe 1508 schtasks.exe 4796 schtasks.exe 2780 schtasks.exe 3508 schtasks.exe 4788 schtasks.exe 2528 schtasks.exe 2860 schtasks.exe 3488 schtasks.exe 2624 schtasks.exe 4928 schtasks.exe 4604 schtasks.exe 4236 schtasks.exe 424 schtasks.exe 3572 schtasks.exe 4028 schtasks.exe 1536 schtasks.exe 3296 schtasks.exe 2864 schtasks.exe 1144 schtasks.exe 316 schtasks.exe 2744 schtasks.exe 3448 schtasks.exe 4912 schtasks.exe 2948 schtasks.exe 2264 schtasks.exe 1436 schtasks.exe 3992 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3468 DllCommonsvc.exe 3468 DllCommonsvc.exe 3468 DllCommonsvc.exe 3468 DllCommonsvc.exe 3468 DllCommonsvc.exe 3468 DllCommonsvc.exe 3468 DllCommonsvc.exe 3468 DllCommonsvc.exe 3468 DllCommonsvc.exe 3468 DllCommonsvc.exe 4860 powershell.exe 4860 powershell.exe 1660 powershell.exe 1660 powershell.exe 3840 powershell.exe 3840 powershell.exe 3480 powershell.exe 3480 powershell.exe 4280 powershell.exe 4280 powershell.exe 2720 powershell.exe 2720 powershell.exe 1516 powershell.exe 1516 powershell.exe 1512 powershell.exe 1512 powershell.exe 2236 powershell.exe 2236 powershell.exe 1052 powershell.exe 1052 powershell.exe 5008 powershell.exe 5008 powershell.exe 2140 powershell.exe 2140 powershell.exe 216 powershell.exe 216 powershell.exe 1536 powershell.exe 1536 powershell.exe 1536 powershell.exe 1512 powershell.exe 2140 powershell.exe 3840 powershell.exe 4860 powershell.exe 2720 powershell.exe 1660 powershell.exe 4280 powershell.exe 3480 powershell.exe 1052 powershell.exe 5008 powershell.exe 1516 powershell.exe 216 powershell.exe 2236 powershell.exe 2560 DllCommonsvc.exe 2560 DllCommonsvc.exe 2560 DllCommonsvc.exe 2560 DllCommonsvc.exe 2560 DllCommonsvc.exe 2560 DllCommonsvc.exe 2560 DllCommonsvc.exe 2560 DllCommonsvc.exe 2560 DllCommonsvc.exe 3860 powershell.exe 3860 powershell.exe 4088 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 3468 DllCommonsvc.exe Token: SeDebugPrivilege 4860 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 3840 powershell.exe Token: SeDebugPrivilege 3480 powershell.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 5008 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 1536 powershell.exe Token: SeDebugPrivilege 216 powershell.exe Token: SeDebugPrivilege 2560 DllCommonsvc.exe Token: SeDebugPrivilege 3860 powershell.exe Token: SeDebugPrivilege 4088 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeDebugPrivilege 3180 powershell.exe Token: SeDebugPrivilege 4472 powershell.exe Token: SeDebugPrivilege 892 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 4196 powershell.exe Token: SeDebugPrivilege 4072 powershell.exe Token: SeDebugPrivilege 2308 System.exe Token: SeDebugPrivilege 4104 powershell.exe Token: SeDebugPrivilege 676 System.exe Token: SeDebugPrivilege 444 System.exe Token: SeDebugPrivilege 892 System.exe Token: SeDebugPrivilege 3340 System.exe Token: SeDebugPrivilege 1492 System.exe Token: SeDebugPrivilege 1412 System.exe Token: SeDebugPrivilege 3576 System.exe Token: SeDebugPrivilege 2092 System.exe Token: SeDebugPrivilege 2708 System.exe Token: SeDebugPrivilege 3476 System.exe Token: SeDebugPrivilege 4088 System.exe Token: SeDebugPrivilege 3300 System.exe Token: SeDebugPrivilege 2292 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1720 wrote to memory of 100 1720 JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe 83 PID 1720 wrote to memory of 100 1720 JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe 83 PID 1720 wrote to memory of 100 1720 JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe 83 PID 100 wrote to memory of 3148 100 WScript.exe 85 PID 100 wrote to memory of 3148 100 WScript.exe 85 PID 100 wrote to memory of 3148 100 WScript.exe 85 PID 3148 wrote to memory of 3468 3148 cmd.exe 87 PID 3148 wrote to memory of 3468 3148 cmd.exe 87 PID 3468 wrote to memory of 5008 3468 DllCommonsvc.exe 129 PID 3468 wrote to memory of 5008 3468 DllCommonsvc.exe 129 PID 3468 wrote to memory of 4860 3468 DllCommonsvc.exe 130 PID 3468 wrote to memory of 4860 3468 DllCommonsvc.exe 130 PID 3468 wrote to memory of 3840 3468 DllCommonsvc.exe 131 PID 3468 wrote to memory of 3840 3468 DllCommonsvc.exe 131 PID 3468 wrote to memory of 2236 3468 DllCommonsvc.exe 132 PID 3468 wrote to memory of 2236 3468 DllCommonsvc.exe 132 PID 3468 wrote to memory of 1660 3468 DllCommonsvc.exe 133 PID 3468 wrote to memory of 1660 3468 DllCommonsvc.exe 133 PID 3468 wrote to memory of 1052 3468 DllCommonsvc.exe 134 PID 3468 wrote to memory of 1052 3468 DllCommonsvc.exe 134 PID 3468 wrote to memory of 1512 3468 DllCommonsvc.exe 135 PID 3468 wrote to memory of 1512 3468 DllCommonsvc.exe 135 PID 3468 wrote to memory of 3480 3468 DllCommonsvc.exe 136 PID 3468 wrote to memory of 3480 3468 DllCommonsvc.exe 136 PID 3468 wrote to memory of 1536 3468 DllCommonsvc.exe 137 PID 3468 wrote to memory of 1536 3468 DllCommonsvc.exe 137 PID 3468 wrote to memory of 1516 3468 DllCommonsvc.exe 138 PID 3468 wrote to memory of 1516 3468 DllCommonsvc.exe 138 PID 3468 wrote to memory of 216 3468 DllCommonsvc.exe 139 PID 3468 wrote to memory of 216 3468 DllCommonsvc.exe 139 PID 3468 wrote to memory of 2720 3468 DllCommonsvc.exe 140 PID 3468 wrote to memory of 2720 3468 DllCommonsvc.exe 140 PID 3468 wrote to memory of 4280 3468 DllCommonsvc.exe 141 PID 3468 wrote to memory of 4280 3468 DllCommonsvc.exe 141 PID 3468 wrote to memory of 2140 3468 DllCommonsvc.exe 142 PID 3468 wrote to memory of 2140 3468 DllCommonsvc.exe 142 PID 3468 wrote to memory of 3176 3468 DllCommonsvc.exe 157 PID 3468 wrote to memory of 3176 3468 DllCommonsvc.exe 157 PID 3176 wrote to memory of 3628 3176 cmd.exe 159 PID 3176 wrote to memory of 3628 3176 cmd.exe 159 PID 3176 wrote to memory of 2560 3176 cmd.exe 165 PID 3176 wrote to memory of 2560 3176 cmd.exe 165 PID 2560 wrote to memory of 4088 2560 DllCommonsvc.exe 206 PID 2560 wrote to memory of 4088 2560 DllCommonsvc.exe 206 PID 2560 wrote to memory of 3860 2560 DllCommonsvc.exe 207 PID 2560 wrote to memory of 3860 2560 DllCommonsvc.exe 207 PID 2560 wrote to memory of 3180 2560 DllCommonsvc.exe 208 PID 2560 wrote to memory of 3180 2560 DllCommonsvc.exe 208 PID 2560 wrote to memory of 2588 2560 DllCommonsvc.exe 209 PID 2560 wrote to memory of 2588 2560 DllCommonsvc.exe 209 PID 2560 wrote to memory of 4196 2560 DllCommonsvc.exe 210 PID 2560 wrote to memory of 4196 2560 DllCommonsvc.exe 210 PID 2560 wrote to memory of 4472 2560 DllCommonsvc.exe 211 PID 2560 wrote to memory of 4472 2560 DllCommonsvc.exe 211 PID 2560 wrote to memory of 892 2560 DllCommonsvc.exe 212 PID 2560 wrote to memory of 892 2560 DllCommonsvc.exe 212 PID 2560 wrote to memory of 2276 2560 DllCommonsvc.exe 214 PID 2560 wrote to memory of 2276 2560 DllCommonsvc.exe 214 PID 2560 wrote to memory of 2272 2560 DllCommonsvc.exe 215 PID 2560 wrote to memory of 2272 2560 DllCommonsvc.exe 215 PID 2560 wrote to memory of 2420 2560 DllCommonsvc.exe 217 PID 2560 wrote to memory of 2420 2560 DllCommonsvc.exe 217 PID 2560 wrote to memory of 4072 2560 DllCommonsvc.exe 218 PID 2560 wrote to memory of 4072 2560 DllCommonsvc.exe 218 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fdc297fcbcb8ad6651b08f3c1b920f86cd42f5c02d6b13cc5db0449d87fe4cec.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\unsecapp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TcWzmqm14M.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3628
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\WaaSMedicAgent.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\conhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\encapsulation\wininit.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"8⤵PID:3460
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4548
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"10⤵PID:4160
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:560
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat"12⤵PID:1884
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2756
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:892 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"14⤵PID:4028
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1440
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"16⤵PID:1504
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2036
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"18⤵PID:4528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:4732
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"20⤵PID:2332
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1776
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat"22⤵PID:3616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4772
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"24⤵PID:1748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1440
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"26⤵PID:2780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4592
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"28⤵PID:2236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2088
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"30⤵PID:1572
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:2664
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"32⤵PID:1968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:3180
-
-
C:\Users\Public\Music\System.exe"C:\Users\Public\Music\System.exe"33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"34⤵PID:4476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\providercommon\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\tracing\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\HomeGroup\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\HomeGroup\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\NetHood\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\NetHood\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\tracing\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\All Users\Documents\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Music\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Scenarios\csrss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\Scenarios\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f1⤵PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f1⤵PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\appcompat\encapsulation\wininit.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\wininit.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\encapsulation\wininit.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
995B
MD59a5e69edf97c71e52652285e1c0af690
SHA1d9b3947d6983d992e0ba078f71063e33cef027f0
SHA2568f161e4c212caf8922ff7be1f4ec7ab0796d11c90ee1c237c147c63eb80c2202
SHA512769713471317ca106767d1f87a224377cfbde9ae19ca40c95e7b16d1266b4ec33a6c4c50cbb6a1b4cb112d08b5747b73f183de942393e825c803bebebc2d55b8
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5624e41a75a6dfd62039973dbbfdbe622
SHA1f791e4cc85d6ae7039acef57a9025b173d7e963b
SHA256ced1b5ac330145fa608627ad4de1dfb3533375f19b6da3d02ad202d0b7732bc1
SHA512a13a128a5ea8aad3bcd5f3dbffa5fbfe7763370d8e43b546a1df1da3b0ec0d520cf5fcc8c25c22fd1e73ea1d00da1bee99305e028e71e193339e4fa8ce8f0b2d
-
Filesize
944B
MD56125559fbc17386521c1080f1784ba39
SHA1d98edc173d6d1780547728e61531e9c4a7db960e
SHA256e4239058bf974ac9b68e83a3e4bbd21f6064ab682755d6f024fb60eb1cfe9497
SHA512bbc8c733d1482d3679de019d0f7c872525d204c9a9300f3787f975e4784a9d657d51def5416386c99a1c5244e929f28d8c861491f476cfaec3ecffba29763e15
-
Filesize
944B
MD5b7189719e6df2c3dfc76197ec3f31f7a
SHA1effd91412deadc87cc10ef76cdecc1e0b54b6d41
SHA2561c72fa37d078b92c7e900b2e3d17c43c34d936a696a8ddf6c519f4a80308b892
SHA5122df1f1d45844da7ffb17cdfb411f223e9c614c00f5cf7eb5ba92bf7ba174875af2a515371208286c95c0479c934ae2c6a83dfc0b54380be89db1eddd19faf978
-
Filesize
944B
MD5150616521d490e160cd33b97d678d206
SHA171594f5b97a4a61fe5f120eb10bcd6b73d7e6e78
SHA25694595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827
SHA5127043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815
-
Filesize
944B
MD5b801d886e417a9bf405b2f0092e04fe1
SHA1fa99fefa2f49af240141692f78c8c28f04205389
SHA25657b1c29eef54567fcfdaa28d2923485cb6f77bb76dc54235965fb34f02a42636
SHA512b2c8bf95b4c25d7fff388b5f3e04212c43af9588f7aed8a7cb251330ee18c89789eb1d294b8449ec2afeb9b5373d7a6dce8f4369b84cbfb6a7c7813341fa07ff
-
Filesize
944B
MD53e242d3c4b39d344f66c494424020c61
SHA1194e596f33d54482e7880e91dc05e0d247a46399
SHA256f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e
SHA51227c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02
-
Filesize
944B
MD5be95052f298019b83e11336567f385fc
SHA1556e6abda268afaeeec5e1ee65adc01660b70534
SHA256ebc004fe961bed86adc4025cdbe3349699a5a1fc328cc3a37f3ff055e7e82027
SHA512233df172f37f85d34448901057ff19f20792d6e139579a1235165d5f6056a2075c19c85bc9115a6bb74c9c949aebd7bb5391e2ae9f7b1af69e5c4aca3a48cff5
-
Filesize
944B
MD58846686b7f2d146c0baa27459eedbd8d
SHA1c953a3d1c7870a9d7ded709301f3ae7f1ea94e61
SHA25633e3dc5ccf5c09b1c26c524b284335712ef653a2b2169732d8d890f615026c65
SHA5123e72136bff1772ae7934c67ead939b4783ffb9a3657a366881504c7a11e76abe6469b6a4701b031fd564e6d257f7c62f52fb69f93a67459fadf909fefbbe6154
-
Filesize
944B
MD5c65338524586fc00cf00e679a7d4a1f4
SHA162abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae
SHA256faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6
SHA512c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310
-
Filesize
197B
MD5f48ac4870e7f20032524918b241567c4
SHA14e28277cf107ae681a1112b171c6b176db7abd2d
SHA2560c870557c4bc099e2a6f4a97c040147aafbd1e428615eb4f698e8df0f21d65fd
SHA51251ab1e051437282efd254470e0cbb176e1c0a16aeb6d9acda986f6c8aa39f3771b2949a72ca7391907d491e9efc225563fba6edbe0fe6f9c0e10352d66be0047
-
Filesize
197B
MD5ba3fb6e8139545a3bc77f8667fcf2022
SHA17c8e21ece612e19fe219c10c8b3d40b54c4ad518
SHA256cfc934c08c1a484e7a9f2023bcad002221f5fc7a05698d04c46aeb5d2fb78bca
SHA51236bd6530a425058c86f7cba23da63f2327eeb890ce258ce981d0d0887d3122d877efcf536004226f70775d5e442d7a758d67925ac22bb4ee322c27c7c68b8da8
-
Filesize
197B
MD54dc317d2a9aaf509259d9cbf42027091
SHA12b771c217450551cadc3f22452ae1962641d602e
SHA2568464cd68b4423214ebdc886f85c38da64c764f2ecd10cfc3e8cbf89394159cef
SHA512938417b60de09cc2aa38fed1bf3dced08d516785710ead56c47ce7ccb1db4dce655d68be3dc5eb1aa1e9bb4e73fa439838426837807c6907e15472aee3385016
-
Filesize
197B
MD57c57514d1f534639b7505ad49e4a727c
SHA1043dbfbcb74ea866f3a1d1825c10f309c5c7a683
SHA256ee94e28202cfa88ba4bcec01f20c9f9a83af3e1bf9795026581ae346ee7975eb
SHA512475ac091ac49334915d2f776f377e2842ecc1059787f7bf409d4330991d9c54a332cb915b30b28d80b055fda7d19ef9e1d86d2bb37de24d9d7d2283a3324b54e
-
Filesize
199B
MD5fb35e8d199d16b168847818ce88f3726
SHA177be941729a83f1f05a36cfe3120a6222113d760
SHA25616db9df966383953b4cb2fcb3ba2806bd6d59944da9f0b1dca298515ff6ca699
SHA512336c7db512ae0b49c43c379b5b0a0958cf87160e9fe962b06c2e3d9ff4b3a6dc15d028dd3d855af6e3422c84c44df05c44a6f30c0d06e57190542bf51aced698
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
197B
MD5f54e0abb43a9a09539a50181c9c960b8
SHA1bb675e37bd1f816effaf23d2742b661b032dcea7
SHA256f19ea34f67ea111c4954754f834c7faf7ca575237f56bc77d22976248eaeb871
SHA5124c6734341b6cfc9884d1ec780b68929913f1e22b3122d2cba9187ca8b8d0012a3c857285d1e283b0d458e6258087ab76e30101a0ffc6cbe8e5f3c5aa898a5889
-
Filesize
197B
MD54f57730c6da116d2660027eab4730143
SHA14441774f0eb1cfb4d8e5ce1ddcdfb4b9c2edd6b1
SHA2562fe985c8fc1d0db2bb0091ac3f724b1880e3c9ad034a640c626af0f7c0b79b67
SHA5127892a934fef7c79d142f576d0672189ada98fcefdc493357aa179b2374b7dda064c8d6834f10d20c31ea1859b95ec8d3ea4066563c9879d75020e1fc34842d77
-
Filesize
197B
MD5792b8c76f4ac18e8bb0ee6e4c210bfd4
SHA1411a3b46a5308aa2693049b64e598be3bd8e01e7
SHA256255d36d7ea401989d5910b96cc6aefe716b8f60ae2561a1f8f963f91be319e93
SHA5122141f4be5271450f14fb90bfcb277d21c40e8f40f4531b7f030b051a25a99afa23cd33da12a080cfcd66eedef2b6841c80182edf294939f59bf7102e31dc03dc
-
Filesize
197B
MD5335abc1dcc155945c5eba0b6e5dcff9b
SHA190894651f70e446a2e9045bb39868cb1e0b99271
SHA2564c275a3bac2239226589f4540adcf95e68e192e9ef5295be5464c1b4ea8af9a9
SHA51246a4e9ef69f93b717b3fad0ff2821286f424a2edb0fa6f278d0df3942ecdf7180f37998147fbec4b39de83be2bce5374349538f3eddd0f82c04e5db33196571e
-
Filesize
197B
MD537995098b1d2c605df62754c1cb91d15
SHA1aeeeb868e8cddb970b086e0554dd8d5124de971d
SHA256f91d2ebc9e05e14ac246e2a0e5ac8887f183a14bb9be0c00568e025b11358bfe
SHA512c9d7f1908a72490797a844f7aa039d70192c9047f4c08932f37cb3e98bd7d149487925839ffe029677e9aee7df2e0bbce6ff83148e0d600ca4e8417468a4f70e
-
Filesize
197B
MD55d53e9b3f3bf096d92bd228cbe8a9934
SHA1d85b83828554b712735c25f50f86d3e49e491076
SHA25632f450c9e495efe6af2719e5a33a8ccdca217470860b76c5d1494e0d9905e346
SHA5128f8562d4f7f4a4c788d54fbf014b2c2741594fe201e82e7251dad69d049b61310427d3d227ced4b6e2eeb6028ba9b40b794b3882ebbedabf2f406a7cbcc1a769
-
Filesize
150B
MD58674b591e8651813dc9291a1f8661786
SHA17623ddcd5098278144847fbaad80ad8d6b1ddec6
SHA2567e4c9a18c6d776cec4c115d81098b051d9ef9639f53bf0d895d49fa837131190
SHA5127947101ddd80e2bfbb37f80e5be5f87602fe88fd5137415d5dcb690140b5e8d1a4e7f7818f436abba4780ccd9c433362335c3a48c7ad0294393dddc96c58aaf7
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
879B
MD5d75317841fc49775b37e10ba034bf5b2
SHA1fd6b826913eb19a1db10baf1f7da3384dde5a6e1
SHA25630ca80e8759215a34ff59913926cc8f2a31b3ef602876ab12c52d24806b6d7f0
SHA512e8004186e2b193fe4ea19d717eacb09e9686626c789b14743415e76b9d61c8a3f1788bf69a6e4eb2d10608670c528542fecb818ca9d52e151ee2f3f33044d010
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478