Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 01:56
Behavioral task
behavioral1
Sample
JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe
-
Size
1.3MB
-
MD5
b824107c0e731c4f3fa49a681aaf188a
-
SHA1
f927fefec8cd29112f68102f54eab742b0c83ff7
-
SHA256
87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42
-
SHA512
31610a2ece6c1e17de44dadddfc1c95310d836af129752e2c6585e75a54c1204203f12f10c27011029bb29548a353831e0bebcb3f75c0392ecdd9722a85e5ddf
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3660 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3364 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 184 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3416 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4156 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5000 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4624 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3844 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4456 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3108 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4684 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 1492 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 1492 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x000a000000023b78-10.dat dcrat behavioral2/memory/2640-13-0x0000000000D20000-0x0000000000E30000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2076 powershell.exe 4960 powershell.exe 4856 powershell.exe 4112 powershell.exe 4852 powershell.exe 1720 powershell.exe 1276 powershell.exe 3604 powershell.exe 3380 powershell.exe 3700 powershell.exe 4164 powershell.exe 1892 powershell.exe 4480 powershell.exe 3708 powershell.exe 1480 powershell.exe 1832 powershell.exe 1140 powershell.exe 1540 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation SppExtComObj.exe -
Executes dropped EXE 14 IoCs
pid Process 2640 DllCommonsvc.exe 4156 SppExtComObj.exe 5272 SppExtComObj.exe 5592 SppExtComObj.exe 3532 SppExtComObj.exe 5596 SppExtComObj.exe 1360 SppExtComObj.exe 4852 SppExtComObj.exe 5916 SppExtComObj.exe 5844 SppExtComObj.exe 876 SppExtComObj.exe 1716 SppExtComObj.exe 4288 SppExtComObj.exe 4836 SppExtComObj.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 37 raw.githubusercontent.com 50 raw.githubusercontent.com 17 raw.githubusercontent.com 24 raw.githubusercontent.com 43 raw.githubusercontent.com 45 raw.githubusercontent.com 53 raw.githubusercontent.com 38 raw.githubusercontent.com 41 raw.githubusercontent.com 51 raw.githubusercontent.com 16 raw.githubusercontent.com 42 raw.githubusercontent.com 49 raw.githubusercontent.com 52 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Windows NT\Accessories\en-US\e1ef82546f0b02 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\conhost.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\IdentityCRL\production\SppExtComObj.exe DllCommonsvc.exe File opened for modification C:\Windows\IdentityCRL\production\SppExtComObj.exe DllCommonsvc.exe File created C:\Windows\IdentityCRL\production\e1ef82546f0b02 DllCommonsvc.exe File created C:\Windows\IdentityCRL\INT\conhost.exe DllCommonsvc.exe File created C:\Windows\IdentityCRL\INT\088424020bedd6 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings SppExtComObj.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 636 schtasks.exe 2560 schtasks.exe 3108 schtasks.exe 692 schtasks.exe 5060 schtasks.exe 1856 schtasks.exe 3936 schtasks.exe 3940 schtasks.exe 2992 schtasks.exe 620 schtasks.exe 2780 schtasks.exe 3036 schtasks.exe 2116 schtasks.exe 3560 schtasks.exe 1132 schtasks.exe 1176 schtasks.exe 1572 schtasks.exe 5020 schtasks.exe 4804 schtasks.exe 3660 schtasks.exe 3416 schtasks.exe 5000 schtasks.exe 1852 schtasks.exe 792 schtasks.exe 4876 schtasks.exe 4156 schtasks.exe 3648 schtasks.exe 3844 schtasks.exe 4684 schtasks.exe 2456 schtasks.exe 2040 schtasks.exe 2164 schtasks.exe 2584 schtasks.exe 3164 schtasks.exe 3388 schtasks.exe 1756 schtasks.exe 1632 schtasks.exe 184 schtasks.exe 2028 schtasks.exe 4456 schtasks.exe 1472 schtasks.exe 4008 schtasks.exe 4624 schtasks.exe 2760 schtasks.exe 3016 schtasks.exe 3976 schtasks.exe 1768 schtasks.exe 3532 schtasks.exe 3364 schtasks.exe 4448 schtasks.exe 640 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 4164 powershell.exe 4164 powershell.exe 4852 powershell.exe 4852 powershell.exe 1720 powershell.exe 4112 powershell.exe 1720 powershell.exe 4112 powershell.exe 2076 powershell.exe 2076 powershell.exe 1892 powershell.exe 1892 powershell.exe 1540 powershell.exe 1540 powershell.exe 4856 powershell.exe 4856 powershell.exe 1140 powershell.exe 1140 powershell.exe 1276 powershell.exe 1276 powershell.exe 4960 powershell.exe 4960 powershell.exe 1832 powershell.exe 1832 powershell.exe 4480 powershell.exe 4480 powershell.exe 3700 powershell.exe 3700 powershell.exe 3604 powershell.exe 3604 powershell.exe 1480 powershell.exe 1480 powershell.exe 3380 powershell.exe 3380 powershell.exe 3708 powershell.exe 3708 powershell.exe 1720 powershell.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 2640 DllCommonsvc.exe Token: SeDebugPrivilege 4164 powershell.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeDebugPrivilege 1892 powershell.exe Token: SeDebugPrivilege 4852 powershell.exe Token: SeDebugPrivilege 4112 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 4960 powershell.exe Token: SeDebugPrivilege 3700 powershell.exe Token: SeDebugPrivilege 4480 powershell.exe Token: SeDebugPrivilege 4156 SppExtComObj.exe Token: SeDebugPrivilege 3604 powershell.exe Token: SeDebugPrivilege 3380 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeDebugPrivilege 5272 SppExtComObj.exe Token: SeDebugPrivilege 5592 SppExtComObj.exe Token: SeDebugPrivilege 3532 SppExtComObj.exe Token: SeDebugPrivilege 5596 SppExtComObj.exe Token: SeDebugPrivilege 1360 SppExtComObj.exe Token: SeDebugPrivilege 4852 SppExtComObj.exe Token: SeDebugPrivilege 5916 SppExtComObj.exe Token: SeDebugPrivilege 5844 SppExtComObj.exe Token: SeDebugPrivilege 876 SppExtComObj.exe Token: SeDebugPrivilege 1716 SppExtComObj.exe Token: SeDebugPrivilege 4288 SppExtComObj.exe Token: SeDebugPrivilege 4836 SppExtComObj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 404 wrote to memory of 4588 404 JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe 82 PID 404 wrote to memory of 4588 404 JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe 82 PID 404 wrote to memory of 4588 404 JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe 82 PID 4588 wrote to memory of 1036 4588 WScript.exe 85 PID 4588 wrote to memory of 1036 4588 WScript.exe 85 PID 4588 wrote to memory of 1036 4588 WScript.exe 85 PID 1036 wrote to memory of 2640 1036 cmd.exe 87 PID 1036 wrote to memory of 2640 1036 cmd.exe 87 PID 2640 wrote to memory of 1832 2640 DllCommonsvc.exe 141 PID 2640 wrote to memory of 1832 2640 DllCommonsvc.exe 141 PID 2640 wrote to memory of 1276 2640 DllCommonsvc.exe 142 PID 2640 wrote to memory of 1276 2640 DllCommonsvc.exe 142 PID 2640 wrote to memory of 1540 2640 DllCommonsvc.exe 143 PID 2640 wrote to memory of 1540 2640 DllCommonsvc.exe 143 PID 2640 wrote to memory of 1720 2640 DllCommonsvc.exe 144 PID 2640 wrote to memory of 1720 2640 DllCommonsvc.exe 144 PID 2640 wrote to memory of 1892 2640 DllCommonsvc.exe 145 PID 2640 wrote to memory of 1892 2640 DllCommonsvc.exe 145 PID 2640 wrote to memory of 4852 2640 DllCommonsvc.exe 146 PID 2640 wrote to memory of 4852 2640 DllCommonsvc.exe 146 PID 2640 wrote to memory of 4112 2640 DllCommonsvc.exe 147 PID 2640 wrote to memory of 4112 2640 DllCommonsvc.exe 147 PID 2640 wrote to memory of 4164 2640 DllCommonsvc.exe 149 PID 2640 wrote to memory of 4164 2640 DllCommonsvc.exe 149 PID 2640 wrote to memory of 4856 2640 DllCommonsvc.exe 150 PID 2640 wrote to memory of 4856 2640 DllCommonsvc.exe 150 PID 2640 wrote to memory of 3380 2640 DllCommonsvc.exe 151 PID 2640 wrote to memory of 3380 2640 DllCommonsvc.exe 151 PID 2640 wrote to memory of 4480 2640 DllCommonsvc.exe 153 PID 2640 wrote to memory of 4480 2640 DllCommonsvc.exe 153 PID 2640 wrote to memory of 4960 2640 DllCommonsvc.exe 154 PID 2640 wrote to memory of 4960 2640 DllCommonsvc.exe 154 PID 2640 wrote to memory of 2076 2640 DllCommonsvc.exe 155 PID 2640 wrote to memory of 2076 2640 DllCommonsvc.exe 155 PID 2640 wrote to memory of 3700 2640 DllCommonsvc.exe 156 PID 2640 wrote to memory of 3700 2640 DllCommonsvc.exe 156 PID 2640 wrote to memory of 3604 2640 DllCommonsvc.exe 158 PID 2640 wrote to memory of 3604 2640 DllCommonsvc.exe 158 PID 2640 wrote to memory of 1480 2640 DllCommonsvc.exe 159 PID 2640 wrote to memory of 1480 2640 DllCommonsvc.exe 159 PID 2640 wrote to memory of 3708 2640 DllCommonsvc.exe 160 PID 2640 wrote to memory of 3708 2640 DllCommonsvc.exe 160 PID 2640 wrote to memory of 1140 2640 DllCommonsvc.exe 161 PID 2640 wrote to memory of 1140 2640 DllCommonsvc.exe 161 PID 2640 wrote to memory of 4156 2640 DllCommonsvc.exe 177 PID 2640 wrote to memory of 4156 2640 DllCommonsvc.exe 177 PID 4156 wrote to memory of 1664 4156 SppExtComObj.exe 181 PID 4156 wrote to memory of 1664 4156 SppExtComObj.exe 181 PID 1664 wrote to memory of 5156 1664 cmd.exe 183 PID 1664 wrote to memory of 5156 1664 cmd.exe 183 PID 1664 wrote to memory of 5272 1664 cmd.exe 184 PID 1664 wrote to memory of 5272 1664 cmd.exe 184 PID 5272 wrote to memory of 5440 5272 SppExtComObj.exe 185 PID 5272 wrote to memory of 5440 5272 SppExtComObj.exe 185 PID 5440 wrote to memory of 4696 5440 cmd.exe 187 PID 5440 wrote to memory of 4696 5440 cmd.exe 187 PID 5440 wrote to memory of 5592 5440 cmd.exe 189 PID 5440 wrote to memory of 5592 5440 cmd.exe 189 PID 5592 wrote to memory of 3976 5592 SppExtComObj.exe 191 PID 5592 wrote to memory of 3976 5592 SppExtComObj.exe 191 PID 3976 wrote to memory of 904 3976 cmd.exe 193 PID 3976 wrote to memory of 904 3976 cmd.exe 193 PID 3976 wrote to memory of 3532 3976 cmd.exe 194 PID 3976 wrote to memory of 3532 3976 cmd.exe 194 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\production\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\INT\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\3D Objects\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\IdentityCRL\production\SppExtComObj.exe"C:\Windows\IdentityCRL\production\SppExtComObj.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:5156
-
-
C:\Windows\IdentityCRL\production\SppExtComObj.exe"C:\Windows\IdentityCRL\production\SppExtComObj.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:5440 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4696
-
-
C:\Windows\IdentityCRL\production\SppExtComObj.exe"C:\Windows\IdentityCRL\production\SppExtComObj.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:904
-
-
C:\Windows\IdentityCRL\production\SppExtComObj.exe"C:\Windows\IdentityCRL\production\SppExtComObj.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"12⤵PID:5756
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:3520
-
-
C:\Windows\IdentityCRL\production\SppExtComObj.exe"C:\Windows\IdentityCRL\production\SppExtComObj.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"14⤵PID:5548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:5608
-
-
C:\Windows\IdentityCRL\production\SppExtComObj.exe"C:\Windows\IdentityCRL\production\SppExtComObj.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat"16⤵PID:4508
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:5076
-
-
C:\Windows\IdentityCRL\production\SppExtComObj.exe"C:\Windows\IdentityCRL\production\SppExtComObj.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"18⤵PID:4360
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:4416
-
-
C:\Windows\IdentityCRL\production\SppExtComObj.exe"C:\Windows\IdentityCRL\production\SppExtComObj.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"20⤵PID:5752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:3036
-
-
C:\Windows\IdentityCRL\production\SppExtComObj.exe"C:\Windows\IdentityCRL\production\SppExtComObj.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"22⤵PID:5684
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4892
-
-
C:\Windows\IdentityCRL\production\SppExtComObj.exe"C:\Windows\IdentityCRL\production\SppExtComObj.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"24⤵PID:5292
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:5020
-
-
C:\Windows\IdentityCRL\production\SppExtComObj.exe"C:\Windows\IdentityCRL\production\SppExtComObj.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"26⤵PID:1788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:3304
-
-
C:\Windows\IdentityCRL\production\SppExtComObj.exe"C:\Windows\IdentityCRL\production\SppExtComObj.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"28⤵PID:5400
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:5220
-
-
C:\Windows\IdentityCRL\production\SppExtComObj.exe"C:\Windows\IdentityCRL\production\SppExtComObj.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"30⤵PID:5576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:1712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\IdentityCRL\production\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\IdentityCRL\production\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\INT\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\INT\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\3D Objects\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\3D Objects\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5e96fa7d418f4266cc0b695fcce71cd24
SHA1448e4adad9d49e0bca8d9d9d87f8ff7c5fe8977e
SHA256f28279bd47499c65fb53d550aca0f695a055488a595b947ec8a17a0a96e1b8a8
SHA51219118ef1989fc54777f7dfd8ef53468b18c2494e503e847169337aaa994dae88f0e97b5571c4f6872a2b1410a40f5c6ee281ebc66aa3ff6d3f2a5ae812896b25
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
104B
MD5273f01385a0ce76412b6e9e46ff8ca66
SHA1946be76c58405e39efe344b1a66eeeedf1d3129d
SHA2565be7358413ffde971947f2883fe6569fba4b686eddbba13155d702ffe8df672e
SHA512c9e6b6d83d91c9982c9527d05c33dc3bf7482e8ddb2bda283d8aa9b3b843b97372406efdc2c8ccfb78026ea0ef040e0f40f4fbc5938678ecfd94d75d657aa624
-
Filesize
215B
MD5237f42ecb9975718e359b77c41ab5680
SHA112fd40e81f3ec302857f59f09dfbf82b716190df
SHA256fa46b220f46f62155616c1a9c09e14bd0004146424c9b07625dd534f17573fcb
SHA512cf847c2e1679b738a848404417d4e9421ca08e61ab0bb7509990fd1454606359fec935fbd7969eae1d749b9da3bb24d6dd0ea49238c780256c79ab71d354d797
-
Filesize
215B
MD5b3f527b2f161ae004787474cf87fa491
SHA1d9e015b46770675d14b17481dcc72521604da82d
SHA256c60be2177ade37034275f179d0179efa66d3dc325e84ff45d27f2ab9bfd07453
SHA51211a324de1c8455a6d2d37ef945c690adb5568254bd5e6929d74c1edc001aea9465a3d54d21c181b276ed1f65abece062c588af37f541c0622d902306ff2d2148
-
Filesize
215B
MD5b146bb33aa910f53c6d967384da363ad
SHA1cc780930791ffb751cba5387ff5aaa26b3493279
SHA2568473e618f98fb7de5bd2341f8b6ab9733039209dac6c6de09e0c07149507ebb1
SHA512bcf892073249c39ab593c4e50032e1e6aec1f7d225b2b13fff9d72262891e518dc76cd4e2f606cfb313ceb4bd9abc99bb758ad078fde64c3676cb7f1a019771f
-
Filesize
215B
MD5cef68cceb33d75bdf2f0db71bd8fc771
SHA12e8d4349b56605940a71d70b7941588ac8c08d95
SHA256287c87d4f6a7256e2764187e95fd5a7863d73c6c66a0882c81e73a6b047bfafa
SHA5124eebc65c87e667458655b29f2e3c1cfe5a1f4685d9df79f8f20e0c81431bac89d462e7242b4d41957ddc47f1cfc5cfa859355635f0b774bc70953a21fc180d4c
-
Filesize
215B
MD540d3c8c27b76efe483c9256721e23aa8
SHA1edc0f29505d657dd31d8005f00ac4a692142684f
SHA256a978bc9fbcae5f9b94f7b4035067dbf3a64a1b99897e5f362e0cead884e07724
SHA512aa2deee228d445c7cd040abc75c62aa241e24bcbf7f0f8430a320d33266312fdefceb09a9a4c0712293a196b4c91f36ca5c11cbd5c35fb3a3657440b60a600e2
-
Filesize
215B
MD52a619706fbdda4be7eeb38a8aa9c7a2d
SHA1bd6a42fdd45bfb687b48a8015e742b3b2a09f959
SHA256e17d41ca55b401a77395f1bdacbc71ed5f7a663a8f68b65e09965940a102c3e7
SHA5123159dfc4f234b75401dc2ee63ad367732f0c257be4ecff25d2d1bc2e79467bd352ad75b5a23d8fb42a40bff4abb3f6ffe77f21708f511bbc90866539c0dc68c4
-
Filesize
215B
MD5143cbb8678b5761c9d89b1eb973ef3f2
SHA10a4d74ce19e306da25d6ce65b53a2e8213756c98
SHA256075ddebb754991dd3fa36f01d5b937c099b121136cbcb61cdc583d8096392db0
SHA512955839927bbc067391c7199b8bd367a51880597b9d7f377f81170c087caf522b423929c6e031634035b59323e9b100957cc00bdb00514b630d6eb9974a0b5cf2
-
Filesize
215B
MD519110be14ac886ba1cb7e9cff9e4f136
SHA1d3c7659a919d59c70c68394a918e3018c988dafb
SHA256e46b2fd500c1befc74cb773ead19cc5ffcbaa47e65eeebbb438e48f8d3e7317b
SHA512c956655adb4da1606aded21a8328eef466b95ecccc12592555d82ffc7564b8920e7225843c01492fc12c3e0a52d23a503193bc14670d95f9ac03b4e8c0d8217e
-
Filesize
215B
MD53d4aabe313a952df9bf089aeaf1188c6
SHA10123dd9786afb566a6ba9e4a39130f9abd2d9b71
SHA2568dd8bbb29aebe92a394115f5185123805fa3c8581fa9a6c4039035f6082d4b7d
SHA51244248df38ca7f7fe19ce46ca65de70a844edcbeec040f6b4975e0e41e38709dfa3a003e9bbe819c604bd19e6c210eadfc79e61542a9e790fc4288a4e5318d7e6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
215B
MD511e2b353358a66dc0e57b1dab9e445b1
SHA1e9f668817d142dd63ccd6f80b0e639ed9de6653e
SHA256a8fb441c61a3187c255a098a219a3582387793615b90d1606ed746d9787793b9
SHA512ba6c5e5d99f52a912b40eaedb93ce6f0d912152e525467dc62bebc536979002ca3b9f5ec6c0a52e59863e81b05f119a8a8c25414e4e0c7cd10e2d39135169f0a
-
Filesize
215B
MD57438cb287d6fe4cb131db8de3bf02eb8
SHA1c5291c3e6c91a3ca02e562a4d822e38177543b3b
SHA2569aa2a2817cd5671b4e8728a77b9f92f4c3ebcc23d49272211d6745b0138b8149
SHA512c9166a7d2c707805d13ae7b3d9fed86af0c1bba4bbcb42cb6deb63f06bb11d0b54191f363b35a84a34db0e1114e945257c67436db3b4c0ae36c32707c3a98d48
-
Filesize
215B
MD526c05b9ca17c271827f4c397f7bc3cb0
SHA1f80600d75c4a9b66489a5c974644134814932c0b
SHA256e6c0f3974462aeb829adac75f16435b3069fbb06f2358ea2cd14e1d8e8023980
SHA5127982cb43c6eb3e219d553b921efa692b0b8ac9cedf5930e6e1478375c1f061ffd8a99c54b5f3762bc1712d1a5fd5e884b91408eff942ecf3fcbc8d90c3d7bc8a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478