Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 01:51
Behavioral task
behavioral1
Sample
JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe
-
Size
1.3MB
-
MD5
0c72fb6062bd555fc88a168424e9d38e
-
SHA1
dfbedfa323934c94e829f8a3f91b8bf8213c05fd
-
SHA256
a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10
-
SHA512
2f53f03359c9a8f7a157e7fd0c56deeeb19cedbccbbb1e1165f2b591680c8ee9269f86fc94d95f834a7791454b973335ab2c966bfe86b8794875e335b4a383ce
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3264 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4248 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3528 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 732 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3416 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4216 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 1800 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 1800 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x0007000000023c95-10.dat dcrat behavioral2/memory/3200-13-0x0000000000D30000-0x0000000000E40000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 620 powershell.exe 5112 powershell.exe 3600 powershell.exe 1924 powershell.exe 4880 powershell.exe 1140 powershell.exe 2728 powershell.exe 2240 powershell.exe 8 powershell.exe 1232 powershell.exe 1672 powershell.exe 2328 powershell.exe 4728 powershell.exe -
Checks computer location settings 2 TTPs 18 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe -
Executes dropped EXE 17 IoCs
pid Process 3200 DllCommonsvc.exe 5016 winlogon.exe 1668 winlogon.exe 1804 winlogon.exe 116 winlogon.exe 648 winlogon.exe 4424 winlogon.exe 2632 winlogon.exe 2752 winlogon.exe 4988 winlogon.exe 224 winlogon.exe 112 winlogon.exe 1256 winlogon.exe 3516 winlogon.exe 2736 winlogon.exe 1036 winlogon.exe 4368 winlogon.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
flow ioc 17 raw.githubusercontent.com 28 raw.githubusercontent.com 42 raw.githubusercontent.com 59 raw.githubusercontent.com 57 raw.githubusercontent.com 60 raw.githubusercontent.com 40 raw.githubusercontent.com 46 raw.githubusercontent.com 47 raw.githubusercontent.com 55 raw.githubusercontent.com 25 raw.githubusercontent.com 48 raw.githubusercontent.com 56 raw.githubusercontent.com 58 raw.githubusercontent.com 18 raw.githubusercontent.com 41 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991 DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\GameBarPresenceWriter\a76d7bf15d8370 DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe DllCommonsvc.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Windows\appcompat\appraiser\RuntimeBroker.exe DllCommonsvc.exe File created C:\Windows\appcompat\appraiser\9e8d7a4ca61bd9 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings winlogon.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1432 schtasks.exe 3144 schtasks.exe 4248 schtasks.exe 2108 schtasks.exe 2904 schtasks.exe 4960 schtasks.exe 3604 schtasks.exe 1244 schtasks.exe 5068 schtasks.exe 1676 schtasks.exe 2140 schtasks.exe 1960 schtasks.exe 3416 schtasks.exe 4216 schtasks.exe 1876 schtasks.exe 1912 schtasks.exe 112 schtasks.exe 3528 schtasks.exe 1952 schtasks.exe 5092 schtasks.exe 4576 schtasks.exe 940 schtasks.exe 4908 schtasks.exe 2764 schtasks.exe 3264 schtasks.exe 1224 schtasks.exe 1120 schtasks.exe 540 schtasks.exe 732 schtasks.exe 3736 schtasks.exe 4420 schtasks.exe 1980 schtasks.exe 4144 schtasks.exe 4656 schtasks.exe 3916 schtasks.exe 2732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
pid Process 3200 DllCommonsvc.exe 3200 DllCommonsvc.exe 3200 DllCommonsvc.exe 4728 powershell.exe 4728 powershell.exe 1672 powershell.exe 1672 powershell.exe 8 powershell.exe 8 powershell.exe 4880 powershell.exe 4880 powershell.exe 620 powershell.exe 620 powershell.exe 2240 powershell.exe 2240 powershell.exe 2728 powershell.exe 2728 powershell.exe 1140 powershell.exe 1140 powershell.exe 1232 powershell.exe 1232 powershell.exe 2328 powershell.exe 2328 powershell.exe 1924 powershell.exe 1924 powershell.exe 5112 powershell.exe 5112 powershell.exe 1232 powershell.exe 3600 powershell.exe 3600 powershell.exe 5112 powershell.exe 5016 winlogon.exe 5016 winlogon.exe 3600 powershell.exe 4728 powershell.exe 8 powershell.exe 1924 powershell.exe 620 powershell.exe 2240 powershell.exe 1140 powershell.exe 1672 powershell.exe 2728 powershell.exe 4880 powershell.exe 2328 powershell.exe 1668 winlogon.exe 1804 winlogon.exe 116 winlogon.exe 648 winlogon.exe 4424 winlogon.exe 2632 winlogon.exe 2752 winlogon.exe 4988 winlogon.exe 224 winlogon.exe 112 winlogon.exe 1256 winlogon.exe 3516 winlogon.exe 2736 winlogon.exe 1036 winlogon.exe 4368 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 3200 DllCommonsvc.exe Token: SeDebugPrivilege 4728 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeDebugPrivilege 1232 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeDebugPrivilege 620 powershell.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 5016 winlogon.exe Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 3600 powershell.exe Token: SeDebugPrivilege 1668 winlogon.exe Token: SeDebugPrivilege 1804 winlogon.exe Token: SeDebugPrivilege 116 winlogon.exe Token: SeDebugPrivilege 648 winlogon.exe Token: SeDebugPrivilege 4424 winlogon.exe Token: SeDebugPrivilege 2632 winlogon.exe Token: SeDebugPrivilege 2752 winlogon.exe Token: SeDebugPrivilege 4988 winlogon.exe Token: SeDebugPrivilege 224 winlogon.exe Token: SeDebugPrivilege 112 winlogon.exe Token: SeDebugPrivilege 1256 winlogon.exe Token: SeDebugPrivilege 3516 winlogon.exe Token: SeDebugPrivilege 2736 winlogon.exe Token: SeDebugPrivilege 1036 winlogon.exe Token: SeDebugPrivilege 4368 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 404 wrote to memory of 4936 404 JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe 82 PID 404 wrote to memory of 4936 404 JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe 82 PID 404 wrote to memory of 4936 404 JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe 82 PID 4936 wrote to memory of 4212 4936 WScript.exe 83 PID 4936 wrote to memory of 4212 4936 WScript.exe 83 PID 4936 wrote to memory of 4212 4936 WScript.exe 83 PID 4212 wrote to memory of 3200 4212 cmd.exe 85 PID 4212 wrote to memory of 3200 4212 cmd.exe 85 PID 3200 wrote to memory of 3600 3200 DllCommonsvc.exe 123 PID 3200 wrote to memory of 3600 3200 DllCommonsvc.exe 123 PID 3200 wrote to memory of 1924 3200 DllCommonsvc.exe 124 PID 3200 wrote to memory of 1924 3200 DllCommonsvc.exe 124 PID 3200 wrote to memory of 1232 3200 DllCommonsvc.exe 125 PID 3200 wrote to memory of 1232 3200 DllCommonsvc.exe 125 PID 3200 wrote to memory of 1672 3200 DllCommonsvc.exe 126 PID 3200 wrote to memory of 1672 3200 DllCommonsvc.exe 126 PID 3200 wrote to memory of 4880 3200 DllCommonsvc.exe 127 PID 3200 wrote to memory of 4880 3200 DllCommonsvc.exe 127 PID 3200 wrote to memory of 2328 3200 DllCommonsvc.exe 128 PID 3200 wrote to memory of 2328 3200 DllCommonsvc.exe 128 PID 3200 wrote to memory of 1140 3200 DllCommonsvc.exe 129 PID 3200 wrote to memory of 1140 3200 DllCommonsvc.exe 129 PID 3200 wrote to memory of 4728 3200 DllCommonsvc.exe 130 PID 3200 wrote to memory of 4728 3200 DllCommonsvc.exe 130 PID 3200 wrote to memory of 2728 3200 DllCommonsvc.exe 131 PID 3200 wrote to memory of 2728 3200 DllCommonsvc.exe 131 PID 3200 wrote to memory of 2240 3200 DllCommonsvc.exe 132 PID 3200 wrote to memory of 2240 3200 DllCommonsvc.exe 132 PID 3200 wrote to memory of 620 3200 DllCommonsvc.exe 133 PID 3200 wrote to memory of 620 3200 DllCommonsvc.exe 133 PID 3200 wrote to memory of 5112 3200 DllCommonsvc.exe 134 PID 3200 wrote to memory of 5112 3200 DllCommonsvc.exe 134 PID 3200 wrote to memory of 8 3200 DllCommonsvc.exe 135 PID 3200 wrote to memory of 8 3200 DllCommonsvc.exe 135 PID 3200 wrote to memory of 5016 3200 DllCommonsvc.exe 148 PID 3200 wrote to memory of 5016 3200 DllCommonsvc.exe 148 PID 5016 wrote to memory of 4480 5016 winlogon.exe 152 PID 5016 wrote to memory of 4480 5016 winlogon.exe 152 PID 4480 wrote to memory of 1084 4480 cmd.exe 154 PID 4480 wrote to memory of 1084 4480 cmd.exe 154 PID 4480 wrote to memory of 1668 4480 cmd.exe 157 PID 4480 wrote to memory of 1668 4480 cmd.exe 157 PID 1668 wrote to memory of 2400 1668 winlogon.exe 160 PID 1668 wrote to memory of 2400 1668 winlogon.exe 160 PID 2400 wrote to memory of 4176 2400 cmd.exe 162 PID 2400 wrote to memory of 4176 2400 cmd.exe 162 PID 2400 wrote to memory of 1804 2400 cmd.exe 163 PID 2400 wrote to memory of 1804 2400 cmd.exe 163 PID 1804 wrote to memory of 4728 1804 winlogon.exe 165 PID 1804 wrote to memory of 4728 1804 winlogon.exe 165 PID 4728 wrote to memory of 620 4728 cmd.exe 167 PID 4728 wrote to memory of 620 4728 cmd.exe 167 PID 4728 wrote to memory of 116 4728 cmd.exe 169 PID 4728 wrote to memory of 116 4728 cmd.exe 169 PID 116 wrote to memory of 3264 116 winlogon.exe 170 PID 116 wrote to memory of 3264 116 winlogon.exe 170 PID 3264 wrote to memory of 2992 3264 cmd.exe 172 PID 3264 wrote to memory of 2992 3264 cmd.exe 172 PID 3264 wrote to memory of 648 3264 cmd.exe 173 PID 3264 wrote to memory of 648 3264 cmd.exe 173 PID 648 wrote to memory of 2108 648 winlogon.exe 174 PID 648 wrote to memory of 2108 648 winlogon.exe 174 PID 2108 wrote to memory of 4404 2108 cmd.exe 176 PID 2108 wrote to memory of 4404 2108 cmd.exe 176 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\appraiser\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1084
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4176
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:620
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2992
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:4404
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"16⤵PID:2036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:208
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"18⤵PID:4216
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:452
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"20⤵PID:1560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:3332
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"22⤵PID:1900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2668
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"24⤵PID:3148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:260
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"26⤵PID:2892
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1948
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"28⤵PID:2204
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:3180
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"30⤵PID:2732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:2592
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"32⤵PID:4216
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:2608
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"34⤵PID:1280
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:2952
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\appraiser\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\appcompat\appraiser\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
233B
MD59115e77695f1e0c5fe90e2e015429813
SHA17948f86788da9ecbf76e9c4b26de41486722e2dd
SHA256b5e765fb4ad1bf483dce47e00ede9151377c500b0b8928f20e051c67ac034d70
SHA512aae8e6b32a364bc97d6347e71cd732b38fcc335ba3a176501875bfe7ee6a5011954df0db1a0c86ca0218532d716c5de45f58fab63dafb1c12eee5c43ca83c8ed
-
Filesize
233B
MD542a500fd7053ec107c299fd5a9da4ea9
SHA1be7c6ba2270191e50bef5f204aaf72e1dbad1e92
SHA2564f5571579babf410901135ea9eaf7e0d24fc97e4d5a4f9feb8bc742db8df0b41
SHA512f7c314518b11aff6f212f7a849f82a27beafcbfd9fd828cd423b070f0720e6b6ec794d28c56408700a56f284b25f1d72c4514cf6adf3c65537d9845892825049
-
Filesize
233B
MD5b5000a3ce34661a65c79054ecafcc765
SHA18b08497facc668f48ef78cd77b98bbe778e097c1
SHA256bed03f83f075b2762b1e3ba02a8b4dbfbbef6dec6b1c388323a106af14b40f22
SHA512593de0c9f3824a2a9e928714bae007463e7d4015a38c4ce933314bf961d0d1eed44632f3b5a6f6d24d978a9382066acf185e113422c3d14fc6058ae1649a67fa
-
Filesize
233B
MD5b71dc8a864d28397e13f5c332e123c22
SHA167dc377db8c4c65bf0b89ed883d1865f53fafc39
SHA2567ca3fb79e72a67490f0fc467f939ef0b72aed2e026b003759cc7f65683bfb983
SHA512a9ef39cb5a4322a04751c35f41af7846cfaf51e52ff19ddc55ea0dfd0b29eb67c162b0ada8b48f7b51b0dcbd40f7951b043a61b31e081fea205bc84d1838cb02
-
Filesize
233B
MD5d99b8561129f2a485c28aa9bd9f29623
SHA1c337a915042117a7e9d9a7c065c0fe7837ef8160
SHA256eb1371a4f418dcbf5466020320f7125518d58c50a7af77bc21cbf0c9ff4863e8
SHA512d4e616f0d2b3083c138ac50e9c097f7973c40533b7ad7edd19503adbde855a80bc7abacd042120445e8ebe44623619caec8c3d08dfaaef15fdb0e7fb093a30df
-
Filesize
233B
MD59ac08c7c13a135ff10b96872a9a3cf14
SHA11a53d7548a9ccb458225b5d3a1a7e5e26448429a
SHA256c15e153d03dafe09bd2dba5663a84dbc442aea4a8e8f229dd5c393c19f2a2edd
SHA512856afd25c6cd83af4258587106729cdb43a9f70c5fae9a3286ac42012fd2832ff7631543341d6f0695ecaeaf4bb29905322ac9d6e84d05a0f666782675f6c694
-
Filesize
233B
MD5e5f4a9fa6e16dbe7f4879ce274f4badc
SHA178e0470f665dae43baaac9a125533ca81f613bb4
SHA2562d806c27bd3710013c337cc610962272cd4cf31954f8114d40c262b6559be490
SHA51243f4440fbb08438a85856b77fbcac045682f27690b099427076d26515531e768b301b588a96e9c822414160d293b2712d0d3b80f7900cc067b86657ea4a11cf4
-
Filesize
233B
MD5704b0c798de27e0cf0bd10a841ce89f6
SHA1e940e7552dca958cf8306ee03c1a1bc5bcbc60fc
SHA25620d5f8646a87b7d93db5b8a610907f9a4bbaabe5c3fb2861bdceef099f15ac53
SHA5120db54e1f85c248e67c7dad1f676e7bd0b2fff9af44d5322ff94eb29933fa8d542c1441950a8a4908f5f31c50e8aa2d0323ba9732e02aebe41495fee11bf8707e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
233B
MD5852f721c89a864eed9fa57e6d3a507f3
SHA15f482cc6477e5291ccc252900a7909369476e149
SHA25630dde8518a482a7a7a8f56a470a858a6423d25af0128983ef1ee19b7bdc098ef
SHA512c4a373b355f5c3762ff4138cf48711aadad6c11dc7af69bd0b2dc3fb97f3b746942b63984a04c852992042a3dcc1a9819d54463bd9f7752b5b2636e5c3a66731
-
Filesize
233B
MD5c60669db9241d305a1fa423cbafeefe3
SHA11990dcd0b86c30b5e7ca3a4c5046c53d6c650d0c
SHA25684e818dd8783e00c307be74137131151cf7d5369370567a33bfcc03bd39d4b11
SHA512a961047e3bf3622bedb8d463eaa9397040f5467ca5c76e0f620a03afdc7893a3d58c86295ed2736d3a61c1fa0adff827efd9762d7d59fa1ea500d0486d127317
-
Filesize
233B
MD5047927a3c0fd847168a1f526576dfaa5
SHA15e7f9560d169e10f775fe37badd158d605ef3f0b
SHA25645256ad397b156322dbf09e9402a0083e78fa7ec73b44377bff4fcef2a8bc1a0
SHA5123c37ca71b4fe24e18a1eeac8fee8313b8476c016e374a60a5478dbbe4f19d494d9efdd005cc0b74d7c5430ab3466f41cb8b360543933cc2d88247ad6af831cdf
-
Filesize
233B
MD55fccef33d3a14edefc43797bbc1b6dd6
SHA1b52f54777dce664b56506bff5ebcfa2ba685c3d0
SHA2569797e6150019e97241f2de24ec5abe33f5a3a83698f77313ea288184ad55b274
SHA5124a3b88808695aa56b09774fcab1c8c62e9d13f96e8be768f2d1823e0bc27bae5b733b7db583fdb155b6b670f78060fd3863f1bf7ba9d21ad1572808c97eae423
-
Filesize
233B
MD5a448d78b877d481b4864ade072efa46a
SHA1aa086b940bbfecbdce2714861578a9c21d112c1b
SHA2569be912895b8949cbded5bcaf2b0c9e88a6a94bd7d0bec3aad4da3982eb8dca59
SHA512c20d79f06c5591fd11d97c5eabe3c163981024c41def1515eedf16bdbc50a35c71ade99f5d3987887bd2f22f170bb807f0ede90e08180ded0b69d350a8f6fbe9
-
Filesize
233B
MD587af4d68c556a0540a551a52b079269b
SHA117e68367ad300d565d494d4be6e64259f46c447d
SHA25624ea8a5a98dec27e6b558c365e20e9c242437354d571b9c79257c9f58e9d32b2
SHA512a98b21bb85f8d37c61672cf62e28ea46a3ff8c51767aef76b074dce1b5997bcefaaa3d840e2350534ea68968639ed9ec15e0cd5c3ff239497041bdbd85f3109a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478