Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 02:39
Behavioral task
behavioral1
Sample
JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe
-
Size
1.3MB
-
MD5
a37c7bb0f9b5bbd814388bc40cd5d638
-
SHA1
821717ebf915edd7c627dbe52b8e1fd18e76d482
-
SHA256
d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad
-
SHA512
bac98a4ab9d84e2568f549df981a2a25713f141fd7eedf8c0562e763a25f70ab6702ff2e0ec5b06faf09aafd4aeed37fb461dca2a3ae1ca6b84d12b28690641c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4248 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4224 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 428 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 736 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4436 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4728 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4736 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3096 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4012 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 736 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4268 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 368 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4728 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4160 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 1496 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 1496 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000e000000023bba-10.dat dcrat behavioral2/memory/2320-13-0x00000000001B0000-0x00000000002C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4828 powershell.exe 1708 powershell.exe 4164 powershell.exe 5092 powershell.exe 2320 powershell.exe 876 powershell.exe 1184 powershell.exe 1108 powershell.exe 1612 powershell.exe 1476 powershell.exe 2332 powershell.exe 4252 powershell.exe 4152 powershell.exe 3668 powershell.exe 2468 powershell.exe 1484 powershell.exe 4404 powershell.exe 4228 powershell.exe 2880 powershell.exe 3492 powershell.exe 1672 powershell.exe 4516 powershell.exe 1684 powershell.exe 3368 powershell.exe 396 powershell.exe 4856 powershell.exe 4516 powershell.exe 3248 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe -
Executes dropped EXE 15 IoCs
pid Process 2320 DllCommonsvc.exe 640 DllCommonsvc.exe 3272 DllCommonsvc.exe 464 WmiPrvSE.exe 5220 WmiPrvSE.exe 5392 WmiPrvSE.exe 5976 WmiPrvSE.exe 5512 WmiPrvSE.exe 4672 WmiPrvSE.exe 3616 WmiPrvSE.exe 4300 WmiPrvSE.exe 4724 WmiPrvSE.exe 3368 WmiPrvSE.exe 1452 WmiPrvSE.exe 4412 WmiPrvSE.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 23 raw.githubusercontent.com 39 raw.githubusercontent.com 52 raw.githubusercontent.com 54 raw.githubusercontent.com 45 raw.githubusercontent.com 53 raw.githubusercontent.com 55 raw.githubusercontent.com 56 raw.githubusercontent.com 24 raw.githubusercontent.com 38 raw.githubusercontent.com 43 raw.githubusercontent.com 44 raw.githubusercontent.com 57 raw.githubusercontent.com -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\browser\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\38384e6a620884 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\ee2ad38f3d4382 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\e6c9b481da804f DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\browser\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\e6c9b481da804f DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\Registry.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ModemLogs\ea9f0e6c9e2dcd DllCommonsvc.exe File created C:\Windows\ModemLogs\taskhostw.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings WmiPrvSE.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4248 schtasks.exe 2368 schtasks.exe 5068 schtasks.exe 736 schtasks.exe 1232 schtasks.exe 1536 schtasks.exe 4300 schtasks.exe 1944 schtasks.exe 4448 schtasks.exe 3596 schtasks.exe 4424 schtasks.exe 3924 schtasks.exe 4388 schtasks.exe 1968 schtasks.exe 3096 schtasks.exe 2728 schtasks.exe 4224 schtasks.exe 4440 schtasks.exe 4728 schtasks.exe 4292 schtasks.exe 2224 schtasks.exe 4948 schtasks.exe 3668 schtasks.exe 2164 schtasks.exe 5112 schtasks.exe 4728 schtasks.exe 736 schtasks.exe 1060 schtasks.exe 4660 schtasks.exe 368 schtasks.exe 4012 schtasks.exe 2932 schtasks.exe 1784 schtasks.exe 4928 schtasks.exe 4676 schtasks.exe 4972 schtasks.exe 2252 schtasks.exe 2640 schtasks.exe 4548 schtasks.exe 400 schtasks.exe 4436 schtasks.exe 1808 schtasks.exe 4388 schtasks.exe 872 schtasks.exe 4596 schtasks.exe 4736 schtasks.exe 4116 schtasks.exe 2124 schtasks.exe 4360 schtasks.exe 1912 schtasks.exe 552 schtasks.exe 1988 schtasks.exe 3488 schtasks.exe 1568 schtasks.exe 4328 schtasks.exe 2568 schtasks.exe 852 schtasks.exe 4504 schtasks.exe 2740 schtasks.exe 4268 schtasks.exe 1600 schtasks.exe 3176 schtasks.exe 1976 schtasks.exe 2308 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2320 DllCommonsvc.exe 2880 powershell.exe 1484 powershell.exe 2880 powershell.exe 4252 powershell.exe 4828 powershell.exe 1684 powershell.exe 4828 powershell.exe 1484 powershell.exe 4252 powershell.exe 1684 powershell.exe 640 DllCommonsvc.exe 640 DllCommonsvc.exe 640 DllCommonsvc.exe 640 DllCommonsvc.exe 640 DllCommonsvc.exe 640 DllCommonsvc.exe 640 DllCommonsvc.exe 640 DllCommonsvc.exe 640 DllCommonsvc.exe 4516 powershell.exe 3248 powershell.exe 1708 powershell.exe 1184 powershell.exe 4404 powershell.exe 4516 powershell.exe 4404 powershell.exe 3248 powershell.exe 1708 powershell.exe 1184 powershell.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe 3272 DllCommonsvc.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2320 DllCommonsvc.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 4252 powershell.exe Token: SeDebugPrivilege 4828 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 640 DllCommonsvc.exe Token: SeDebugPrivilege 4516 powershell.exe Token: SeDebugPrivilege 3248 powershell.exe Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 1184 powershell.exe Token: SeDebugPrivilege 4404 powershell.exe Token: SeDebugPrivilege 3272 DllCommonsvc.exe Token: SeDebugPrivilege 5092 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 4228 powershell.exe Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 464 WmiPrvSE.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 4516 powershell.exe Token: SeDebugPrivilege 4152 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 3492 powershell.exe Token: SeDebugPrivilege 4164 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 3668 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 3368 powershell.exe Token: SeDebugPrivilege 5220 WmiPrvSE.exe Token: SeDebugPrivilege 5392 WmiPrvSE.exe Token: SeDebugPrivilege 5976 WmiPrvSE.exe Token: SeDebugPrivilege 5512 WmiPrvSE.exe Token: SeDebugPrivilege 4672 WmiPrvSE.exe Token: SeDebugPrivilege 3616 WmiPrvSE.exe Token: SeDebugPrivilege 4300 WmiPrvSE.exe Token: SeDebugPrivilege 4724 WmiPrvSE.exe Token: SeDebugPrivilege 3368 WmiPrvSE.exe Token: SeDebugPrivilege 1452 WmiPrvSE.exe Token: SeDebugPrivilege 4412 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2552 wrote to memory of 4060 2552 JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe 82 PID 2552 wrote to memory of 4060 2552 JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe 82 PID 2552 wrote to memory of 4060 2552 JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe 82 PID 4060 wrote to memory of 4204 4060 WScript.exe 83 PID 4060 wrote to memory of 4204 4060 WScript.exe 83 PID 4060 wrote to memory of 4204 4060 WScript.exe 83 PID 4204 wrote to memory of 2320 4204 cmd.exe 85 PID 4204 wrote to memory of 2320 4204 cmd.exe 85 PID 2320 wrote to memory of 4828 2320 DllCommonsvc.exe 99 PID 2320 wrote to memory of 4828 2320 DllCommonsvc.exe 99 PID 2320 wrote to memory of 2880 2320 DllCommonsvc.exe 100 PID 2320 wrote to memory of 2880 2320 DllCommonsvc.exe 100 PID 2320 wrote to memory of 4252 2320 DllCommonsvc.exe 101 PID 2320 wrote to memory of 4252 2320 DllCommonsvc.exe 101 PID 2320 wrote to memory of 1684 2320 DllCommonsvc.exe 102 PID 2320 wrote to memory of 1684 2320 DllCommonsvc.exe 102 PID 2320 wrote to memory of 1484 2320 DllCommonsvc.exe 103 PID 2320 wrote to memory of 1484 2320 DllCommonsvc.exe 103 PID 2320 wrote to memory of 5024 2320 DllCommonsvc.exe 109 PID 2320 wrote to memory of 5024 2320 DllCommonsvc.exe 109 PID 5024 wrote to memory of 2304 5024 cmd.exe 111 PID 5024 wrote to memory of 2304 5024 cmd.exe 111 PID 5024 wrote to memory of 640 5024 cmd.exe 112 PID 5024 wrote to memory of 640 5024 cmd.exe 112 PID 640 wrote to memory of 1708 640 DllCommonsvc.exe 125 PID 640 wrote to memory of 1708 640 DllCommonsvc.exe 125 PID 640 wrote to memory of 3248 640 DllCommonsvc.exe 126 PID 640 wrote to memory of 3248 640 DllCommonsvc.exe 126 PID 640 wrote to memory of 4404 640 DllCommonsvc.exe 221 PID 640 wrote to memory of 4404 640 DllCommonsvc.exe 221 PID 640 wrote to memory of 1184 640 DllCommonsvc.exe 128 PID 640 wrote to memory of 1184 640 DllCommonsvc.exe 128 PID 640 wrote to memory of 4516 640 DllCommonsvc.exe 201 PID 640 wrote to memory of 4516 640 DllCommonsvc.exe 201 PID 640 wrote to memory of 464 640 DllCommonsvc.exe 230 PID 640 wrote to memory of 464 640 DllCommonsvc.exe 230 PID 464 wrote to memory of 2228 464 cmd.exe 137 PID 464 wrote to memory of 2228 464 cmd.exe 137 PID 464 wrote to memory of 3272 464 cmd.exe 142 PID 464 wrote to memory of 3272 464 cmd.exe 142 PID 3272 wrote to memory of 5092 3272 DllCommonsvc.exe 194 PID 3272 wrote to memory of 5092 3272 DllCommonsvc.exe 194 PID 3272 wrote to memory of 2468 3272 DllCommonsvc.exe 195 PID 3272 wrote to memory of 2468 3272 DllCommonsvc.exe 195 PID 3272 wrote to memory of 876 3272 DllCommonsvc.exe 196 PID 3272 wrote to memory of 876 3272 DllCommonsvc.exe 196 PID 3272 wrote to memory of 396 3272 DllCommonsvc.exe 198 PID 3272 wrote to memory of 396 3272 DllCommonsvc.exe 198 PID 3272 wrote to memory of 2320 3272 DllCommonsvc.exe 199 PID 3272 wrote to memory of 2320 3272 DllCommonsvc.exe 199 PID 3272 wrote to memory of 3368 3272 DllCommonsvc.exe 200 PID 3272 wrote to memory of 3368 3272 DllCommonsvc.exe 200 PID 3272 wrote to memory of 4516 3272 DllCommonsvc.exe 201 PID 3272 wrote to memory of 4516 3272 DllCommonsvc.exe 201 PID 3272 wrote to memory of 2332 3272 DllCommonsvc.exe 203 PID 3272 wrote to memory of 2332 3272 DllCommonsvc.exe 203 PID 3272 wrote to memory of 4164 3272 DllCommonsvc.exe 204 PID 3272 wrote to memory of 4164 3272 DllCommonsvc.exe 204 PID 3272 wrote to memory of 4228 3272 DllCommonsvc.exe 205 PID 3272 wrote to memory of 4228 3272 DllCommonsvc.exe 205 PID 3272 wrote to memory of 3668 3272 DllCommonsvc.exe 207 PID 3272 wrote to memory of 3668 3272 DllCommonsvc.exe 207 PID 3272 wrote to memory of 1476 3272 DllCommonsvc.exe 208 PID 3272 wrote to memory of 1476 3272 DllCommonsvc.exe 208 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6UGIW4Qb8i.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2304
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SppExtComObj.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hDscMB1tIE.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2228
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\explorer.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\unsecapp.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\RuntimeBroker.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\upfc.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\Registry.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\taskhostw.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1108 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:4404
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"10⤵PID:5152
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:5244
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"12⤵PID:1808
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:4528
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"14⤵PID:3932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:948
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"16⤵PID:5628
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:3044
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"18⤵PID:2784
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:5624
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat"20⤵PID:6020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:5112
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"22⤵PID:5588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1644
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat"24⤵PID:5712
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:5776
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"26⤵PID:5124
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2976
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"28⤵PID:6088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:1448
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"30⤵PID:3108
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:1488
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"32⤵PID:5272
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:5432
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"33⤵PID:1232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
PID:3736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\providercommon\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\explorer.exe'" /f1⤵PID:4716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\explorer.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\unsecapp.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\unsecapp.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\RuntimeBroker.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\providercommon\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
PID:4160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\ModemLogs\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD598baf5117c4fcec1692067d200c58ab3
SHA15b33a57b72141e7508b615e17fb621612cb8e390
SHA25630bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51
SHA512344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d
-
Filesize
944B
MD519e1e2a79d89d1a806d9f998551c82a8
SHA13ea8c6b09bcaa874efc3a220f6f61eed4be85ebd
SHA256210f353fbdf0ed0f95aec9d76a455c1e92f96000551a875c5de55cfa712f4adc
SHA512da427ad972596f8f795ae978337e943cb07f9c5a2ed1c8d1f1cad27c07dcec2f4d4ffe9424db2b90fcba3c2f301524f52931a863efae38fca2bef1def53567b8
-
Filesize
944B
MD5aeceee3981c528bdc5e1c635b65d223d
SHA1de9939ed37edca6772f5cdd29f6a973b36b7d31b
SHA256b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32
SHA512df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb
-
Filesize
944B
MD5100b5eb2f8c2f9a0c297ca3f2fe05082
SHA137d56cc394ec2862b7d9ad13b4742ad6154c67cb
SHA256249d526803e85f8b2ce99609e4d9b0ed463d269907a065c666c39c9cbe67c5f2
SHA512451896e4852b2319bfe967ebc9d14cb1348231fd6b002d067540c75ce1b2af91305030a9c17d92a102222cba42fb873eafd30fbb046db25b074f8a632336b852
-
Filesize
944B
MD5f39dee759b4a12cc2bdb9b6434684a79
SHA156e1ef299a21d0c30807393aca8f116467133090
SHA256d88c830d5ea6bb2133b4fd42581e332e61b3089160e27a29048a7a935aaa570e
SHA5126c027ce48598376f95f11fa514098bc8a035aecc63be2c7fd635dfcfcab29fd9dbef47713bb1c8037b0be1e6ba0bb2fa5cb18a6057fec0ab940147ad4cfec934
-
Filesize
944B
MD5575c67abdb0b2c72de0d9dd38b94d791
SHA127783f259ffd096b21c02c70cb999bf860183124
SHA256fdf985fb9c56b4462675c41f68555f8762dd7043b15750968208b88be87252bc
SHA51261b23a15b52cf51b525993e8cfc0b9fd41d1bb28501c96a35f776bfa738390783ad266c2d0383a53770f3662dd118a45114d92afee63b4673e88008a6559b774
-
Filesize
944B
MD5b22bcc023ccf6782c755f5b743aa3a52
SHA1141150057021a07fa6aa03f46c9f2fd5719b3eeb
SHA256a977c9d6fc409dbc0abbaa17e306eca391657f1f3c974cf1b004826000b8d1b4
SHA51205c78b755324319a86857f3d249cfc9cc0c6c51a4f8ee94350a1936853e323af668fa8ee224d60eea618f1a7684897c3ce24713365dbeeba02e7718cbe4b3b0e
-
Filesize
944B
MD5862ba4d954cb06e558c72993c6279458
SHA13ab48639fa55e13566cf3fe01dee8be4709e3d4b
SHA2560323bf0f856b0b21d92787c1adb301e914c00b9ee02bb34e71547cd0c5a35b64
SHA512edcb8d196ce9adb0a77da8a83b60f1a7d675941bf1f4746b68c96b5f0b91c07be073900b3f8155c9e742e3735a581d76bd988a4fd59db4f4c16475f728fa4c9a
-
Filesize
944B
MD521f5d3ab1d5d4c21a30ef164958c17cf
SHA1bf1250e3d9fbff360df4fb0309265d4d7e9bd82d
SHA256660dc0d677d560b86af0dbd19467419cacbba7d005cac2c8347e50b5f29ce5bd
SHA5122a742ba0a4590db7215945ef8db3f0ec2ac5f69f05a3057638e8d2b2260b05902bda19502d1bb9c9945299cb1054910b11f57c19626bd9b191f6a6a4c9e6e4bf
-
Filesize
944B
MD5fec78ebbd765e6f8d91ff70218cfeb45
SHA111018ec3fa5d64501496c37f8687b773da21e68e
SHA25629086aafe3d9aa700651b295c0007d7832d7ac4fca9e02702706566b7d42f20d
SHA5123534898dc42185a99c3be830121870ab99e9ff1857cb165ce50f45fe205c4f3cef708e42f914fba573d88e31ac9f719d101d4ddd5b94b848440ef2d6dbcf4942
-
Filesize
944B
MD5e8609c12c59293ee67562f5096525f6f
SHA17b89311e1e00dec0658daa7749b6560af217435c
SHA2569e7a84df1f437f21ceba6e519fbbd333f0bd7721e8e4b0bb963652fb9a1163fa
SHA512ce6838f441c0954739ec5e03af0726d20b892c4415df3c3ee2010bc6c8f6191ac6717d0e3499ce04a03441b1ad43fc7a2df0de34a1ebd67fbd62cfdf48007b62
-
Filesize
944B
MD56b4e39689cee6c9a38f5a03b68b3df72
SHA1af6cc92ac1532a1059151831885c2929d83f8107
SHA25601bd20c1140847c1d579ca92531850535e5b0aaddfce3c8648716dc1cb811f8d
SHA5129fb0e8c8ebd43525f8364eff0d18c02a34c044d14558cfbea351d283f03df9b84e3e32453e296b2cd844b785dcefef75adfeaff401d80462959104033fe7ba02
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
64B
MD52d45daa9e9acea96d8a2cadfd38aeb47
SHA1a1d49dfe3b7ff32a914f4e5c6fca696878d7227c
SHA25696341c1835589a0a0075c7cae08feb06a96c1a125fdbc650effc39b8ae36fbf5
SHA512b6228fa8931b8a5bb5fba99ff706bb77aa21cfc03248c5d208c24e2a141c8cb79b4988eadf985441fa9d02e9525589ab69335315d604994a33ec92fe640731f1
-
Filesize
195B
MD5727a772857a1e2c4f2e16ef011f9f0ef
SHA1987ac18637723857b1e6a6d6cadede240915b237
SHA2564bcbaf0efcc55dd506255ff4206f229028eabf87d8abe2f76fea7a7b81a36815
SHA512a777458d7ef589f16807e4ef05e60ea064798c3c19fd909463871f5ef35f61a7a869f896ee32e8c121a1f533557ab7a311a8d1bbd92d0c9d669930a4a82a36aa
-
Filesize
199B
MD58fa00328a19518ea1c98a95545cac5d3
SHA14ba4bece71dd4b22821121f21b2b2e98df4fba70
SHA2565787dfed1b0911adf74208c73633619b501ef24b009ce70bfd8e5972fa9888d4
SHA5129882a88bc9839c1b45b99c6ce29b2ef921b1b33666b6cf908a008bcc218eaa54bb345125e0f327e1941da0e53ce483a4326c605f2773d07a007a91cd9ed97f91
-
Filesize
195B
MD58e3b5f17fd0fa3d3696a4286ea8d41fa
SHA1be5b883ae33d4eacfb056931a0bdcc79f4b4ea08
SHA2561d0afe2cda774b39af43b92196e9d2f2d6116caf8a43a3a22b74233ff2964482
SHA512bdc8d88a0780a8e6a74c5c8c3a9f6965643f2a2b9e447b4b3764163ad3be23cc202b83055f32a27833b8a065e9bea8dfd03a3edb4ad9aab7f9f152ce164d880f
-
Filesize
195B
MD50a699f10d51adf12419cdc258ccaae86
SHA15a88673c01ce30193d9bbc700b25e3f5644ff671
SHA256da4396f6563d2bd851283b4aecf77fefea8534f4eb1482b79fe35944ea7618e1
SHA512acb51d63e98908a4e462f8b8d41584bb75be665987ee7044ffb5b67ac4d8c30cca97c3131f651771d66201b2e6d92ea05934dcd8b071a5860c4839b01fd0f78a
-
Filesize
195B
MD5e422c0445b986b9370f8b6a80b3ada08
SHA1066aeba51ead44e9febe552e6e72aa51ec61b8c9
SHA256bff91278a75809ffd0eed3cefa9f061d83bd17bd625f33cac93255799018c8ed
SHA5120ce1b41a72260c878cf9f11627c359abd47a8a1948291b69a9eacbc8e4b903afd63b3d9b3e9d52bf3964d66e13bd9efe769974c612ec42fdae49e9461b99a985
-
Filesize
195B
MD5da3d3a1db4f0303c960bbe9c888e415e
SHA14c4fabb10b3e557b75ec68e7ffa95bdb22eecfc1
SHA2565bc7ba6e02d3a046005c4df9ca5b43eb6796ab8b52528e690c61d14521a6efd2
SHA5123ab280c6b957d5bde7b867300fa8b35ceb3dbb128de4218ca9460db5b3fbd537125f7306be8fd11e37c2e75eb1184b0cf23b43f68db6078d043232efe51c83c5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
195B
MD56e32056ed695147f327e3881b425aaa0
SHA1d80bacf7210d6f8018e1558b22f43ba311d624c6
SHA256cfd620a8383425a0cd7d48e154af2289a311d37ffa57756af7bbb53634963f8e
SHA512fd1c5c7bd1b61cb857fb4bef505618bbbb763c425c139baf3e23a8530fb00bef5362149e1bc06c26461b5aed712c4d1b9766f5c3f418c9c14483f09cd725a18d
-
Filesize
199B
MD594e28387f2fcdd9a27575a845d82ee54
SHA10ccab25647afe2b80f4345b0d6d1635151a3834c
SHA256719bdd23678ea654ed061515a77a79308024b599a2a4e9cb75a8253f39ba7cfc
SHA512d9e48d0ad63d585ffa832aefda8269c68a7d2cdc415545a79cde36c332ff2b8cb790fa17d9f7e45330df3f64d7b9d95898e4ea963d4c3ac3606cfd358790cbfd
-
Filesize
195B
MD544bbe6d235b7bb87279c67c762d1f798
SHA1d304d2e8eedfb1a2950e497438685d314c0fe813
SHA256d412511aacda01b9a2fec3113ebabebefb53e4ec615cb2c2e8bccfe5c39dfed4
SHA512f93dc2fe6a4702f53adaa49ccd7199c175f946598770b893b855e5f31586e53e98b188d4f0cd6136b0278252f042077b93adcdd241744fb1e49c75dcf5def5af
-
Filesize
195B
MD5851b7062d1f57b1595815d25ac8416f7
SHA144d8c27137370d225f9bb58a96c0be1c302ac8f0
SHA25621a92208674cf7adb141efb10eb920d812b5514dcc588dab84f251ccf32b9405
SHA512056a10e52a6e4edea538cbafdeda53eb34d33975d05e062f21847a7a38a45f33e775933a590d30c0b7d6ab51bf50f560b683f580a3fb275670b7988a667ef9b3
-
Filesize
195B
MD5060f834bd0611ca454d2c16f5d5c6ca3
SHA12a23bce70af20b8dc60a3db40c6790cd7e39c57e
SHA25662920e33ac1ef28a390e6913ebd02cf03128477763cee570c5272d70c9264d52
SHA51289d770eaccab4727eb964f34db61ca1f5219314fa89edcc2b2ed9a3bbc853c693be14fa451debe433c0e3c2e46e45b33d6e04c5bcceaadc150ef1c8663a8d92d
-
Filesize
195B
MD54a944f1939120b98679e65901579b4ee
SHA1c51dde12e6645595b958a581e9a33b14d0181bf0
SHA256e09b2b060bf8b12183224564121c9a116ff9e14541967c231b46ead6b332e855
SHA512a44f4921f2f3c4420cb7feaf127d24644fa947ec396b801463b45325e2295eec45404b3bea6c8d2d7f03b23a93f76e47363d9d22502044ccc5648b8a7a5c7f68
-
Filesize
195B
MD52bb1a3a9a3f6add412efa67406e52a8e
SHA18865b85f386be77faa4ac4b37ff0f3ca26d43014
SHA25655fbd54302dead1809f4e5c717e2461f1e7790c584d5be421cb6926c366b1549
SHA5125e915f3b1a84f5a282a29491c8f37c9130baf86a2170ec99ce7ea2089d1df4cadf69846f4cde9baad16ca2823a2fa744fafd67a0812cfc0c3f717cb36693b908
-
Filesize
654B
MD51a0f86078f0cc8c8f27c3934369bde3e
SHA14c885dc3a9ea60dacd9c32cc3f1455c78aa8fd7a
SHA256150ff91ced8c09b9d1276712353d4236cd66b2c91255ee11cb6e7671e25315d9
SHA51293f47f7c2ac7a342645a1f49265e32271de648be8f317b7b1968c2acaaac7264582aed21729c607b6dabd2779972d4c5d5f7f3c3db51dca9fbfd4c0c4c833492
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
984B
MD535122bf3a34b7f95752f105152b11d4d
SHA11fc941eef5a38807e316c81c998515dcb927fefd
SHA25615bfc06012cbe48634b2174bb6f8f9008103ef96e0405a93e8ca246ef3e45d41
SHA51277223ac463e6acd56d5fd375a2d3afc70905481278a2a9a7b88103a1d21eaa50815b33a797f762c5a05fe604a7e53af0b3221ee7eb36a8c8f1207fe426937f4e
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478