Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 17:22
Behavioral task
behavioral1
Sample
JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe
-
Size
1.3MB
-
MD5
16697be95f406116df0fc9b42d05cd5b
-
SHA1
6003ca0500f546496a78b42e16f1c60cef1ffaa3
-
SHA256
524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1
-
SHA512
e7b98c61f15513ffb2034e0a529317c3a2afcd9d0a9aa9d54eb3e4edd0942e4a1101489ff72298ab2c51f04751c26dd16629059d2df52621bfffd34e64693ce8
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4764 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3900 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3240 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3884 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 648 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3544 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3196 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 520 1944 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 1944 schtasks.exe 89 -
resource yara_rule behavioral2/files/0x0007000000023c80-9.dat dcrat behavioral2/memory/2996-13-0x0000000000CC0000-0x0000000000DD0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 960 powershell.exe 4800 powershell.exe 1924 powershell.exe 4720 powershell.exe 2616 powershell.exe 1912 powershell.exe 3612 powershell.exe 2272 powershell.exe 1452 powershell.exe 4868 powershell.exe 4080 powershell.exe 384 powershell.exe 1556 powershell.exe 4884 powershell.exe 464 powershell.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe -
Executes dropped EXE 16 IoCs
pid Process 2996 DllCommonsvc.exe 2372 RuntimeBroker.exe 1504 RuntimeBroker.exe 4960 RuntimeBroker.exe 2040 RuntimeBroker.exe 4588 RuntimeBroker.exe 2916 RuntimeBroker.exe 3276 RuntimeBroker.exe 2804 RuntimeBroker.exe 3476 RuntimeBroker.exe 1100 RuntimeBroker.exe 2256 RuntimeBroker.exe 3464 RuntimeBroker.exe 4780 RuntimeBroker.exe 3408 RuntimeBroker.exe 3476 RuntimeBroker.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
flow ioc 25 raw.githubusercontent.com 40 raw.githubusercontent.com 54 raw.githubusercontent.com 56 raw.githubusercontent.com 22 raw.githubusercontent.com 46 raw.githubusercontent.com 47 raw.githubusercontent.com 55 raw.githubusercontent.com 59 raw.githubusercontent.com 41 raw.githubusercontent.com 58 raw.githubusercontent.com 21 raw.githubusercontent.com 45 raw.githubusercontent.com 57 raw.githubusercontent.com 39 raw.githubusercontent.com -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\it-IT\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Windows Security\RuntimeBroker.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Security\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\55b276f4edf653 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe DllCommonsvc.exe File created C:\Program Files\Windows Security\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\ServiceState\SEMgrSvc\Data\RuntimeBroker.exe DllCommonsvc.exe File created C:\Windows\TAPI\smss.exe DllCommonsvc.exe File created C:\Windows\TAPI\69ddcba757bf72 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5044 schtasks.exe 4984 schtasks.exe 4844 schtasks.exe 1640 schtasks.exe 2068 schtasks.exe 520 schtasks.exe 980 schtasks.exe 3976 schtasks.exe 3944 schtasks.exe 3940 schtasks.exe 4364 schtasks.exe 4516 schtasks.exe 3900 schtasks.exe 4972 schtasks.exe 2700 schtasks.exe 2508 schtasks.exe 3860 schtasks.exe 4900 schtasks.exe 5048 schtasks.exe 3240 schtasks.exe 8 schtasks.exe 2424 schtasks.exe 2800 schtasks.exe 2644 schtasks.exe 2112 schtasks.exe 4508 schtasks.exe 1580 schtasks.exe 1848 schtasks.exe 4584 schtasks.exe 3112 schtasks.exe 3196 schtasks.exe 3120 schtasks.exe 2284 schtasks.exe 648 schtasks.exe 1816 schtasks.exe 4340 schtasks.exe 3544 schtasks.exe 4764 schtasks.exe 4272 schtasks.exe 3884 schtasks.exe 216 schtasks.exe 1724 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 2996 DllCommonsvc.exe 464 powershell.exe 464 powershell.exe 2616 powershell.exe 2616 powershell.exe 1912 powershell.exe 1912 powershell.exe 3612 powershell.exe 3612 powershell.exe 384 powershell.exe 384 powershell.exe 4080 powershell.exe 4080 powershell.exe 4868 powershell.exe 4868 powershell.exe 4720 powershell.exe 4720 powershell.exe 960 powershell.exe 960 powershell.exe 4884 powershell.exe 4884 powershell.exe 1452 powershell.exe 1452 powershell.exe 1556 powershell.exe 1556 powershell.exe 4800 powershell.exe 4800 powershell.exe 2272 powershell.exe 2272 powershell.exe 4720 powershell.exe 1924 powershell.exe 1924 powershell.exe 2272 powershell.exe 1924 powershell.exe 384 powershell.exe 464 powershell.exe 464 powershell.exe 1912 powershell.exe 2616 powershell.exe 3612 powershell.exe 4080 powershell.exe 4800 powershell.exe 960 powershell.exe 4868 powershell.exe 1556 powershell.exe 4884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2996 DllCommonsvc.exe Token: SeDebugPrivilege 464 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 3612 powershell.exe Token: SeDebugPrivilege 384 powershell.exe Token: SeDebugPrivilege 4080 powershell.exe Token: SeDebugPrivilege 4800 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 4720 powershell.exe Token: SeDebugPrivilege 4868 powershell.exe Token: SeDebugPrivilege 4884 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 1452 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 2372 RuntimeBroker.exe Token: SeDebugPrivilege 1504 RuntimeBroker.exe Token: SeDebugPrivilege 4960 RuntimeBroker.exe Token: SeDebugPrivilege 2040 RuntimeBroker.exe Token: SeDebugPrivilege 4588 RuntimeBroker.exe Token: SeDebugPrivilege 2916 RuntimeBroker.exe Token: SeDebugPrivilege 3276 RuntimeBroker.exe Token: SeDebugPrivilege 2804 RuntimeBroker.exe Token: SeDebugPrivilege 3476 RuntimeBroker.exe Token: SeDebugPrivilege 1100 RuntimeBroker.exe Token: SeDebugPrivilege 2256 RuntimeBroker.exe Token: SeDebugPrivilege 3464 RuntimeBroker.exe Token: SeDebugPrivilege 4780 RuntimeBroker.exe Token: SeDebugPrivilege 3408 RuntimeBroker.exe Token: SeDebugPrivilege 3476 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4548 wrote to memory of 2852 4548 JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe 84 PID 4548 wrote to memory of 2852 4548 JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe 84 PID 4548 wrote to memory of 2852 4548 JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe 84 PID 2852 wrote to memory of 1964 2852 WScript.exe 86 PID 2852 wrote to memory of 1964 2852 WScript.exe 86 PID 2852 wrote to memory of 1964 2852 WScript.exe 86 PID 1964 wrote to memory of 2996 1964 cmd.exe 88 PID 1964 wrote to memory of 2996 1964 cmd.exe 88 PID 2996 wrote to memory of 1924 2996 DllCommonsvc.exe 133 PID 2996 wrote to memory of 1924 2996 DllCommonsvc.exe 133 PID 2996 wrote to memory of 4080 2996 DllCommonsvc.exe 134 PID 2996 wrote to memory of 4080 2996 DllCommonsvc.exe 134 PID 2996 wrote to memory of 464 2996 DllCommonsvc.exe 135 PID 2996 wrote to memory of 464 2996 DllCommonsvc.exe 135 PID 2996 wrote to memory of 4868 2996 DllCommonsvc.exe 136 PID 2996 wrote to memory of 4868 2996 DllCommonsvc.exe 136 PID 2996 wrote to memory of 1452 2996 DllCommonsvc.exe 137 PID 2996 wrote to memory of 1452 2996 DllCommonsvc.exe 137 PID 2996 wrote to memory of 4884 2996 DllCommonsvc.exe 138 PID 2996 wrote to memory of 4884 2996 DllCommonsvc.exe 138 PID 2996 wrote to memory of 2272 2996 DllCommonsvc.exe 139 PID 2996 wrote to memory of 2272 2996 DllCommonsvc.exe 139 PID 2996 wrote to memory of 3612 2996 DllCommonsvc.exe 140 PID 2996 wrote to memory of 3612 2996 DllCommonsvc.exe 140 PID 2996 wrote to memory of 1556 2996 DllCommonsvc.exe 141 PID 2996 wrote to memory of 1556 2996 DllCommonsvc.exe 141 PID 2996 wrote to memory of 1912 2996 DllCommonsvc.exe 142 PID 2996 wrote to memory of 1912 2996 DllCommonsvc.exe 142 PID 2996 wrote to memory of 384 2996 DllCommonsvc.exe 143 PID 2996 wrote to memory of 384 2996 DllCommonsvc.exe 143 PID 2996 wrote to memory of 2616 2996 DllCommonsvc.exe 144 PID 2996 wrote to memory of 2616 2996 DllCommonsvc.exe 144 PID 2996 wrote to memory of 4800 2996 DllCommonsvc.exe 145 PID 2996 wrote to memory of 4800 2996 DllCommonsvc.exe 145 PID 2996 wrote to memory of 960 2996 DllCommonsvc.exe 146 PID 2996 wrote to memory of 960 2996 DllCommonsvc.exe 146 PID 2996 wrote to memory of 4720 2996 DllCommonsvc.exe 147 PID 2996 wrote to memory of 4720 2996 DllCommonsvc.exe 147 PID 2996 wrote to memory of 2644 2996 DllCommonsvc.exe 163 PID 2996 wrote to memory of 2644 2996 DllCommonsvc.exe 163 PID 2644 wrote to memory of 1116 2644 cmd.exe 165 PID 2644 wrote to memory of 1116 2644 cmd.exe 165 PID 2644 wrote to memory of 2372 2644 cmd.exe 172 PID 2644 wrote to memory of 2372 2644 cmd.exe 172 PID 2372 wrote to memory of 264 2372 RuntimeBroker.exe 180 PID 2372 wrote to memory of 264 2372 RuntimeBroker.exe 180 PID 264 wrote to memory of 4084 264 cmd.exe 182 PID 264 wrote to memory of 4084 264 cmd.exe 182 PID 264 wrote to memory of 1504 264 cmd.exe 184 PID 264 wrote to memory of 1504 264 cmd.exe 184 PID 1504 wrote to memory of 2376 1504 RuntimeBroker.exe 186 PID 1504 wrote to memory of 2376 1504 RuntimeBroker.exe 186 PID 2376 wrote to memory of 1940 2376 cmd.exe 188 PID 2376 wrote to memory of 1940 2376 cmd.exe 188 PID 2376 wrote to memory of 4960 2376 cmd.exe 192 PID 2376 wrote to memory of 4960 2376 cmd.exe 192 PID 4960 wrote to memory of 2408 4960 RuntimeBroker.exe 195 PID 4960 wrote to memory of 2408 4960 RuntimeBroker.exe 195 PID 2408 wrote to memory of 2936 2408 cmd.exe 197 PID 2408 wrote to memory of 2936 2408 cmd.exe 197 PID 2408 wrote to memory of 2040 2408 cmd.exe 199 PID 2408 wrote to memory of 2040 2408 cmd.exe 199 PID 2040 wrote to memory of 1188 2040 RuntimeBroker.exe 201 PID 2040 wrote to memory of 1188 2040 RuntimeBroker.exe 201 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CyMeBSpuyx.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1116
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4084
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1940
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2936
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"13⤵PID:1188
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:232
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"15⤵PID:1688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3612
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat"17⤵PID:416
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2504
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"19⤵PID:1636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:4544
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"21⤵PID:100
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1460
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"23⤵PID:3336
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:4056
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"25⤵PID:4468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:472
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"27⤵PID:2200
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2240
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"29⤵PID:720
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:4420
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"31⤵PID:808
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:4952
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"33⤵PID:1188
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:234⤵PID:2460
-
-
C:\Program Files\Windows Security\RuntimeBroker.exe"C:\Program Files\Windows Security\RuntimeBroker.exe"34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Contacts\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Contacts\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5ecceac16628651c18879d836acfcb062
SHA1420502b3e5220a01586c59504e94aa1ee11982c9
SHA25658238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3
-
Filesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
Filesize
216B
MD52c9efeee558c51bce5d87decda04324e
SHA11d77c037e600c1b9ce25d0ca5ab7d4d4e1ae79ea
SHA256060e7d10c960d12910d463cce05f15807024a6c0299638dfee46e4d893172b47
SHA51237acb210347d16a77875feaa59d956321c1bfde9d0b3365955b144370836a77265614dee58031e9b94e1c1adbd984db0e0e684c0f0346087212e05159c0a2525
-
Filesize
216B
MD553a9c0aab40aa92607fac5c93bd02d61
SHA1448fe775e77253cc57d97d0dde469d1b6b3fbaad
SHA256fffa4f3776b56155d1c633d5eb346bd0350982feabe3b67126738952849bdc4b
SHA5121c4ee6fae72a3470054de0480fe3e0c819ca3b2c12aa93f3c574c11fe527c6679422b86b375411efcae64bd964dfe960ee552d07d21676c1fea5c95afeae0de6
-
Filesize
216B
MD5ab1a5a7e38bf3017c0ed7986ba730a20
SHA146eee55684250cbda428ab760e5c5872b104223f
SHA256b93bb0434118add04a04a9a5dbb6fe03ea1bfb8a4f96ff2f727ef57f4c0b1913
SHA512b048280a9f28c2feb9e977d3ecd192d624d6dc27951bde137e14a15d6c2be6bcbdcead50d70cf9576ce6ada4a83f8e717ac6d39e641fed749d10c98c4ec9e00f
-
Filesize
216B
MD5b1497b3b29b26881b5b5637b551d9e9a
SHA1b86d448880d198b4ca83831314737efa282152b0
SHA25620e775d79fd7fa7cdb86cd593f541cbe9af2a4143dd28c5c8c67683d1ade773c
SHA512c633e4025ebb74e7244ddeb4f28a5364a62a626271ad4b5286a10266e60929eab3760650243bb0096134f3eb64cbabb45234dc7386704b974ed5fb64b01534e9
-
Filesize
216B
MD5910d24fe1fd783b684a7239592bfa3f6
SHA1d6683556aadf7a4f9621037e8f1ea904da42fbd9
SHA25639a4782baf389b9d4c97dd3215a7fa1b3c0133b24c1d7b7f7ee8d96790d70441
SHA5124cbd480995e673f99343ba8d7dc3b1348f154df5aaec871d6e18c5d82c8f98f2a48a44d91c8b7ba25fa26521cff099702cef268fa1fe3acde21663ad6aa0099e
-
Filesize
216B
MD56058bc013fd5d57e733c5dbdb6eef8b5
SHA15eb80ddb144849c68ff0392712632b7eda6b6d44
SHA256ab0e9eae7d1f931ca138b4032412ce1dfda1889b61721a81bb96513866dc19db
SHA512a0f585a77014516da141b28c0a5510d5477c747248c5fcf5a07e3c3d45e7cc1f9a6d695b5a76e611691cc1f5ad422849fee657e076655c7f540f442a756cadd3
-
Filesize
216B
MD53a513642e4c880c1bb76a2233c98af7f
SHA1c3da440277248b4c1bfd6e70938f2cca6376ea1f
SHA256d47a12eb2b83a4dc922f6a8ba33504a0e53a9ff44ec5bed8acb2ccd5e2606e56
SHA5124606963a13a3d6f8d40b83b02cb4df89e8dd18a9576f1338146f1cdc6ec7cc1eff96737b1300ba5457a3d8861fa21191b69b7ab6c1f959f0627b01d7bf8ad486
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
216B
MD581093566486269743e257346138c1462
SHA1484788b327fdc5c25ab5b4be620b3d1088243b68
SHA2569fcbd642dfc71ac0f327ac216af76f553ded2d85552a43e5ebc6bc920c2748a0
SHA512544f19d62a26bb24bfabaa02d72752d85c5bbfdc9f99eb34eec58ece739c94c9017aa296237fc46b790718bb16bc49f69a2b27063a334b157ab87bd3560304ed
-
Filesize
216B
MD5910cd0b691749f3f5455be88dd46c76f
SHA109cd1ed7708f2a0ef8759d53f77cfc8fd590deaa
SHA256f4c57cbf9cbdfbd8b63ad752ce6f38c21304e244609a0dbce33601ce4f5da7b3
SHA51288bf1b41044d34257a847b077f6edfb4142c3e5b6309aed5634e74c587da9db9b5bfc2ca693784df604b4c0a0879677d1dd3277bb17429e8f369fa2cada1c91e
-
Filesize
216B
MD5e44137a05b1536bb0766b7e43099719c
SHA1ddeb7232a1773ddab81a0fab4ccd1c33fce1575b
SHA2560ca736f6f44efa8b05a2c38e1e2f0d7038fc594eea026dce293c14db896fabd1
SHA5126b6e576fee7b5ead98c9d36641939a2cd43425afb869d5c1594e308e40627b47efe9c80a72d3fe59a6120fc0085c7c14a203f1b1c768dd2cf7dcfbbc4ce3c5ab
-
Filesize
216B
MD5ce6d360e985fa81cc7c822973c7c7c9e
SHA10de4b5d4362adfd13d3cc744f9951bbae7ff6dca
SHA256fdaa37a0ae3b7119dc3868a9679900534b930fec38a4ccc4db60d170e2713d0b
SHA512e667d13fb9d00bd168841608a05403b41575065d2fe1f89b6c53ac42b68e2097f4a34ffb9bd6b2b09f223b6c43d8068a77f84b1d45450f1bd941642a14a760e4
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478