Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 17:47
Behavioral task
behavioral1
Sample
JaffaCakes118_a156b566c1d152210e8765e71f28896566ed54bcd1272d2ac2459f78f0ef81dc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_a156b566c1d152210e8765e71f28896566ed54bcd1272d2ac2459f78f0ef81dc.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_a156b566c1d152210e8765e71f28896566ed54bcd1272d2ac2459f78f0ef81dc.exe
-
Size
1.3MB
-
MD5
51da4d05c1653e3b871146aed9540042
-
SHA1
b6fec857a59402aee65b0796a0943e3fc5a334b5
-
SHA256
a156b566c1d152210e8765e71f28896566ed54bcd1272d2ac2459f78f0ef81dc
-
SHA512
5ce500414a4ba1a8021a132e0286b4db6ecce427b45160a94fc7f3b19ea481649de5d402b606a1e49e61a6552ab06b89e058c2b2325be3517b0970886181d0e8
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1344 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3528 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 712 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4852 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3708 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 312 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4064 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3680 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3396 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3124 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3852 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3756 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4244 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3788 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3328 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4212 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3480 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3600 4540 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 4540 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x0007000000023c9e-10.dat dcrat behavioral2/memory/4780-13-0x0000000000500000-0x0000000000610000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 31 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3056 powershell.exe 1208 powershell.exe 4544 powershell.exe 1272 powershell.exe 3680 powershell.exe 4348 powershell.exe 4940 powershell.exe 2008 powershell.exe 1964 powershell.exe 548 powershell.exe 3244 powershell.exe 2348 powershell.exe 2536 powershell.exe 4388 powershell.exe 2068 powershell.exe 3116 powershell.exe 4300 powershell.exe 2432 powershell.exe 1948 powershell.exe 5084 powershell.exe 4420 powershell.exe 2124 powershell.exe 3436 powershell.exe 2004 powershell.exe 2596 powershell.exe 4088 powershell.exe 1732 powershell.exe 3376 powershell.exe 1964 powershell.exe 1696 powershell.exe 3484 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation JaffaCakes118_a156b566c1d152210e8765e71f28896566ed54bcd1272d2ac2459f78f0ef81dc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation conhost.exe -
Executes dropped EXE 13 IoCs
pid Process 4780 DllCommonsvc.exe 1276 DllCommonsvc.exe 1940 conhost.exe 5788 conhost.exe 6112 conhost.exe 3640 conhost.exe 464 conhost.exe 548 conhost.exe 5336 conhost.exe 2280 conhost.exe 5396 conhost.exe 4252 conhost.exe 2140 conhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 20 raw.githubusercontent.com 25 raw.githubusercontent.com 39 raw.githubusercontent.com 45 raw.githubusercontent.com 50 raw.githubusercontent.com 53 raw.githubusercontent.com 21 raw.githubusercontent.com 40 raw.githubusercontent.com 44 raw.githubusercontent.com 51 raw.githubusercontent.com 52 raw.githubusercontent.com -
Drops file in Program Files directory 22 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Common Files\System\ja-JP\SearchApp.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Common Files\System\ja-JP\38384e6a620884 DllCommonsvc.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\IdentityCRL\production\5940a34987c991 DllCommonsvc.exe File created C:\Windows\Containers\spoolsv.exe DllCommonsvc.exe File created C:\Windows\Containers\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\Speech\Common\en-US\System.exe DllCommonsvc.exe File created C:\Windows\fr-FR\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\IdentityCRL\production\dllhost.exe DllCommonsvc.exe File created C:\Windows\fr-FR\cmd.exe DllCommonsvc.exe File created C:\Windows\IME\wininit.exe DllCommonsvc.exe File created C:\Windows\IME\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a156b566c1d152210e8765e71f28896566ed54bcd1272d2ac2459f78f0ef81dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings JaffaCakes118_a156b566c1d152210e8765e71f28896566ed54bcd1272d2ac2459f78f0ef81dc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings conhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4576 schtasks.exe 1312 schtasks.exe 3356 schtasks.exe 712 schtasks.exe 3680 schtasks.exe 2068 schtasks.exe 4936 schtasks.exe 928 schtasks.exe 4444 schtasks.exe 4792 schtasks.exe 5100 schtasks.exe 396 schtasks.exe 4648 schtasks.exe 4888 schtasks.exe 624 schtasks.exe 4844 schtasks.exe 4888 schtasks.exe 468 schtasks.exe 2476 schtasks.exe 4724 schtasks.exe 4404 schtasks.exe 4552 schtasks.exe 3788 schtasks.exe 2984 schtasks.exe 2064 schtasks.exe 4876 schtasks.exe 2024 schtasks.exe 1960 schtasks.exe 3480 schtasks.exe 3708 schtasks.exe 3124 schtasks.exe 3852 schtasks.exe 4972 schtasks.exe 2828 schtasks.exe 3528 schtasks.exe 532 schtasks.exe 3600 schtasks.exe 2092 schtasks.exe 1776 schtasks.exe 4792 schtasks.exe 4064 schtasks.exe 740 schtasks.exe 4232 schtasks.exe 3612 schtasks.exe 2704 schtasks.exe 4852 schtasks.exe 2004 schtasks.exe 4948 schtasks.exe 4760 schtasks.exe 2436 schtasks.exe 4920 schtasks.exe 1092 schtasks.exe 4212 schtasks.exe 3496 schtasks.exe 408 schtasks.exe 1656 schtasks.exe 3396 schtasks.exe 4364 schtasks.exe 3284 schtasks.exe 3328 schtasks.exe 5048 schtasks.exe 5040 schtasks.exe 3244 schtasks.exe 4816 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4780 DllCommonsvc.exe 4780 DllCommonsvc.exe 4780 DllCommonsvc.exe 4780 DllCommonsvc.exe 4780 DllCommonsvc.exe 1948 powershell.exe 1948 powershell.exe 4348 powershell.exe 4348 powershell.exe 3244 powershell.exe 3244 powershell.exe 1964 powershell.exe 1964 powershell.exe 5084 powershell.exe 5084 powershell.exe 4088 powershell.exe 4088 powershell.exe 2008 powershell.exe 2008 powershell.exe 1696 powershell.exe 1696 powershell.exe 548 powershell.exe 548 powershell.exe 3056 powershell.exe 3056 powershell.exe 2068 powershell.exe 2068 powershell.exe 1208 powershell.exe 1208 powershell.exe 4940 powershell.exe 4940 powershell.exe 2596 powershell.exe 2596 powershell.exe 2068 powershell.exe 2596 powershell.exe 3244 powershell.exe 4348 powershell.exe 1208 powershell.exe 1948 powershell.exe 1948 powershell.exe 548 powershell.exe 2008 powershell.exe 4088 powershell.exe 1696 powershell.exe 5084 powershell.exe 1964 powershell.exe 3056 powershell.exe 4940 powershell.exe 1276 DllCommonsvc.exe 1276 DllCommonsvc.exe 1276 DllCommonsvc.exe 1276 DllCommonsvc.exe 1276 DllCommonsvc.exe 1276 DllCommonsvc.exe 1276 DllCommonsvc.exe 1276 DllCommonsvc.exe 1276 DllCommonsvc.exe 4300 powershell.exe 4300 powershell.exe 1732 powershell.exe 1732 powershell.exe 4300 powershell.exe 4388 powershell.exe 4388 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 4780 DllCommonsvc.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 4348 powershell.exe Token: SeDebugPrivilege 3244 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 5084 powershell.exe Token: SeDebugPrivilege 4088 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 548 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 1208 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 4940 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 1276 DllCommonsvc.exe Token: SeDebugPrivilege 4300 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 3436 powershell.exe Token: SeDebugPrivilege 3680 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 3484 powershell.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 4420 powershell.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 3116 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeDebugPrivilege 3376 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 1940 conhost.exe Token: SeDebugPrivilege 5788 conhost.exe Token: SeDebugPrivilege 6112 conhost.exe Token: SeDebugPrivilege 3640 conhost.exe Token: SeDebugPrivilege 464 conhost.exe Token: SeDebugPrivilege 548 conhost.exe Token: SeDebugPrivilege 5336 conhost.exe Token: SeDebugPrivilege 2280 conhost.exe Token: SeDebugPrivilege 5396 conhost.exe Token: SeDebugPrivilege 4252 conhost.exe Token: SeDebugPrivilege 2140 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1092 wrote to memory of 2000 1092 JaffaCakes118_a156b566c1d152210e8765e71f28896566ed54bcd1272d2ac2459f78f0ef81dc.exe 82 PID 1092 wrote to memory of 2000 1092 JaffaCakes118_a156b566c1d152210e8765e71f28896566ed54bcd1272d2ac2459f78f0ef81dc.exe 82 PID 1092 wrote to memory of 2000 1092 JaffaCakes118_a156b566c1d152210e8765e71f28896566ed54bcd1272d2ac2459f78f0ef81dc.exe 82 PID 2000 wrote to memory of 2180 2000 WScript.exe 83 PID 2000 wrote to memory of 2180 2000 WScript.exe 83 PID 2000 wrote to memory of 2180 2000 WScript.exe 83 PID 2180 wrote to memory of 4780 2180 cmd.exe 85 PID 2180 wrote to memory of 4780 2180 cmd.exe 85 PID 4780 wrote to memory of 2596 4780 DllCommonsvc.exe 126 PID 4780 wrote to memory of 2596 4780 DllCommonsvc.exe 126 PID 4780 wrote to memory of 1948 4780 DllCommonsvc.exe 127 PID 4780 wrote to memory of 1948 4780 DllCommonsvc.exe 127 PID 4780 wrote to memory of 4088 4780 DllCommonsvc.exe 128 PID 4780 wrote to memory of 4088 4780 DllCommonsvc.exe 128 PID 4780 wrote to memory of 548 4780 DllCommonsvc.exe 129 PID 4780 wrote to memory of 548 4780 DllCommonsvc.exe 129 PID 4780 wrote to memory of 5084 4780 DllCommonsvc.exe 130 PID 4780 wrote to memory of 5084 4780 DllCommonsvc.exe 130 PID 4780 wrote to memory of 4348 4780 DllCommonsvc.exe 131 PID 4780 wrote to memory of 4348 4780 DllCommonsvc.exe 131 PID 4780 wrote to memory of 3056 4780 DllCommonsvc.exe 132 PID 4780 wrote to memory of 3056 4780 DllCommonsvc.exe 132 PID 4780 wrote to memory of 1964 4780 DllCommonsvc.exe 133 PID 4780 wrote to memory of 1964 4780 DllCommonsvc.exe 133 PID 4780 wrote to memory of 4940 4780 DllCommonsvc.exe 134 PID 4780 wrote to memory of 4940 4780 DllCommonsvc.exe 134 PID 4780 wrote to memory of 1696 4780 DllCommonsvc.exe 135 PID 4780 wrote to memory of 1696 4780 DllCommonsvc.exe 135 PID 4780 wrote to memory of 3244 4780 DllCommonsvc.exe 136 PID 4780 wrote to memory of 3244 4780 DllCommonsvc.exe 136 PID 4780 wrote to memory of 1208 4780 DllCommonsvc.exe 137 PID 4780 wrote to memory of 1208 4780 DllCommonsvc.exe 137 PID 4780 wrote to memory of 2008 4780 DllCommonsvc.exe 138 PID 4780 wrote to memory of 2008 4780 DllCommonsvc.exe 138 PID 4780 wrote to memory of 2068 4780 DllCommonsvc.exe 139 PID 4780 wrote to memory of 2068 4780 DllCommonsvc.exe 139 PID 4780 wrote to memory of 2032 4780 DllCommonsvc.exe 153 PID 4780 wrote to memory of 2032 4780 DllCommonsvc.exe 153 PID 2032 wrote to memory of 624 2032 cmd.exe 156 PID 2032 wrote to memory of 624 2032 cmd.exe 156 PID 2032 wrote to memory of 1276 2032 cmd.exe 160 PID 2032 wrote to memory of 1276 2032 cmd.exe 160 PID 1276 wrote to memory of 1964 1276 DllCommonsvc.exe 209 PID 1276 wrote to memory of 1964 1276 DllCommonsvc.exe 209 PID 1276 wrote to memory of 1732 1276 DllCommonsvc.exe 210 PID 1276 wrote to memory of 1732 1276 DllCommonsvc.exe 210 PID 1276 wrote to memory of 4420 1276 DllCommonsvc.exe 211 PID 1276 wrote to memory of 4420 1276 DllCommonsvc.exe 211 PID 1276 wrote to memory of 3116 1276 DllCommonsvc.exe 212 PID 1276 wrote to memory of 3116 1276 DllCommonsvc.exe 212 PID 1276 wrote to memory of 1272 1276 DllCommonsvc.exe 213 PID 1276 wrote to memory of 1272 1276 DllCommonsvc.exe 213 PID 1276 wrote to memory of 4300 1276 DllCommonsvc.exe 214 PID 1276 wrote to memory of 4300 1276 DllCommonsvc.exe 214 PID 1276 wrote to memory of 3376 1276 DllCommonsvc.exe 215 PID 1276 wrote to memory of 3376 1276 DllCommonsvc.exe 215 PID 1276 wrote to memory of 2124 1276 DllCommonsvc.exe 216 PID 1276 wrote to memory of 2124 1276 DllCommonsvc.exe 216 PID 1276 wrote to memory of 2432 1276 DllCommonsvc.exe 217 PID 1276 wrote to memory of 2432 1276 DllCommonsvc.exe 217 PID 1276 wrote to memory of 3436 1276 DllCommonsvc.exe 218 PID 1276 wrote to memory of 3436 1276 DllCommonsvc.exe 218 PID 1276 wrote to memory of 2536 1276 DllCommonsvc.exe 219 PID 1276 wrote to memory of 2536 1276 DllCommonsvc.exe 219 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a156b566c1d152210e8765e71f28896566ed54bcd1272d2ac2459f78f0ef81dc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a156b566c1d152210e8765e71f28896566ed54bcd1272d2ac2459f78f0ef81dc.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\production\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m9Wg72cL9d.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:624
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Registry.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\taskhostw.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ja-JP\SearchApp.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\wininit.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\USOShared\Logs\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\MsEdgeCrashpad\upfc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"8⤵PID:5612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:5668
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"10⤵PID:5916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:5976
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6112 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"12⤵PID:3108
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:5308
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"14⤵PID:964
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1488
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"16⤵PID:2024
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4088
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat"18⤵PID:5368
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2704
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat"20⤵PID:3584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2092
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2280 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"22⤵PID:5008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:384
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat"24⤵PID:1616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:4576
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"26⤵PID:5732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:3124
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"28⤵PID:5868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:5924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\IdentityCRL\production\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\IdentityCRL\production\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Containers\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default\explorer.exe'" /f1⤵
- Process spawned unexpected child process
PID:312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\Idle.exe'" /f1⤵
- Process spawned unexpected child process
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\fr-FR\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe'" /f1⤵
- Process spawned unexpected child process
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
PID:3192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Favorites\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\taskhostw.exe'" /rl HIGHEST /f1⤵PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\taskhostw.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\System\ja-JP\SearchApp.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ja-JP\SearchApp.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\System\ja-JP\SearchApp.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\wininit.exe'" /f1⤵PID:3856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\IME\wininit.exe'" /rl HIGHEST /f1⤵PID:3812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\wininit.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\USOShared\Logs\smss.exe'" /f1⤵PID:3592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\USOShared\Logs\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\MsEdgeCrashpad\upfc.exe'" /f1⤵PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\upfc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\MsEdgeCrashpad\upfc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵PID:4292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'" /f1⤵PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD57162abbf490ca7d519cddc48b221cd1a
SHA19bac82d277de8dc9106c0cabafefd24d70dbbae8
SHA256e6ec89505d4b2d00bed8aab9c7f28d8cad424188d1440abae5d3cd49a3ae45a7
SHA512b1779b468f5083a5f4919b3df2da34a4c5df01f5d535eab44f5772cce46a229a0d28acbb992b43c04a75ce04aca87d47d2506d9e93d1b0dfd6b6624612c49026
-
Filesize
757B
MD5a8fce2251940e8fdb8175b80920e458f
SHA14eb0adf28148b32af92e442a17568a53c1b913d5
SHA2565f9347ba136278b16ddbe98ac2150d88eaf545a246323f2548ba095c9590c173
SHA5126bb406c3c5e48729f74e72e19229006c794d46d43fbb88d901f9a860245d49520d399a8b3a19a0613ca0ac4bae0f2a47b9beea31253d036b5812f8d8ab2aa379
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD53e242d3c4b39d344f66c494424020c61
SHA1194e596f33d54482e7880e91dc05e0d247a46399
SHA256f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e
SHA51227c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02
-
Filesize
944B
MD5085e0a3b869f290afea5688a8ac4e7c5
SHA10fedef5057708908bcca9e7572be8f46cef4f3ca
SHA2561fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c
SHA512bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede
-
Filesize
944B
MD56019bc03fe1dc3367a67c76d08b55399
SHA13d0b6d4d99b6b8e49829a3992072c3d9df7ad672
SHA2567f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0
SHA5126b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb
-
Filesize
944B
MD5fdf15f7d08f3f7538ae67e5b3e5d23f4
SHA1953ff0529053ce3a1930b4f5abba2364a8befbfc
SHA2569f4964b9cf2c6d4915a8f2b9746dc5ff73d6f327c81370f92e0e7a611b28a707
SHA5124fee933635376d1467e0be63d12fa897f83cbbf9cdd1ac79cce30dfaa2621d47e137e991b701f1ed9910767904dbfb6b89db2a02ce32edc410c83351f351d7ed
-
Filesize
944B
MD5bc113211a3e72478c93989952aee3251
SHA15eeb2f2e4642ef5f147dd118742ea3c3dcf0cd16
SHA256c6059355503eca5b35ac8446442eb5031ab610b7353cd2e8a3cf07dc99469fae
SHA512c0748cc3a4b701f5cefeeaf9ac1bdbae28cfcf1dad8e89a2db2c756b908011ee8e945b6d02bef816763fc5acc38a72657316f5cd56c62342c8e779a50f4f4460
-
Filesize
944B
MD5d39ea6f9ab2ac89f0eecf4195aa92ab1
SHA1330eceaf8a8f7f482b8efcdd909dd17fcab58861
SHA256c43aeb94aa5a3757d5366738541991ed39ff1ad7d5b5f5644dcecd78bdc48398
SHA51225d06b3688f9454a2b9598c9cc65f49184d743124a5723b43a4278effd95bee192e83ba7be486f5e331692d78d81e58c5cc2720aac56551dc3f90a9e81278222
-
Filesize
944B
MD5ab1c06eb58feaa4c391aca847a9d8c22
SHA17135120dfad41b4d64e675294e1b974891b3ee76
SHA2563705f63962d11b61c726853043b5c47800b77b3392f8ef42921fb31514eeba8e
SHA5128fe9947248e64b2cb94af62bc8126f4c13700254a17a204b58535cb9ad32919be5aeca0e745127ceb8c666dc3b3140bb406d7591b32531c6c3eb1771ee571edb
-
Filesize
944B
MD5ef7c4ea47c72834da25a559fbf2a82ad
SHA1d26de898d4efc7c35ff0b4a9f8179e38d3efe1f4
SHA2564dd33ed20c21bce6eac39372117b9cae9121b0ed0b72504a8db74a6300c5ed35
SHA5128f84329a21b5d6cfd4b8032b6626a25fa066ddd7c1d7ed01a07cdcaa021c28a8b81821db993205c5cd7539fdb0643a22dcdc575946ada1d6646eb72ab6ddfbbe
-
Filesize
944B
MD53fd1207fb34732237602c32614f8e7a5
SHA13c17778095da518c209e6854340c140cff556a50
SHA256b89786113f914c4c6c44f0455750d167a760b375dc12c18a52054e71f0d24737
SHA51254e7f41aa11b147d6734d1b2972c11dd6a4703be366dd9b26dbca14a9392205a4f19545c39db9807751468522c9e761fe7009bebf743e3ef852d7b79429ba482
-
Filesize
245B
MD5496ef62e58255e8212de71f8200738b2
SHA1177e0d454a9716c3c38a553a8f7860f485c39cb2
SHA256269a98bf6bb3a052b110fe68fd673be211447107a3f49cb6ecd1effa337e1bc1
SHA512af2efec530b84a1c978c617fd5d1d7848d0d9486437ed9aca72f5bbfac76067cf9c84634a6cff2a3db10e83670eb54bd6d1fb5faf3a8810095aab86a8ba2f448
-
Filesize
245B
MD52136374196aeeaed4e691e69c0591043
SHA191488a7c34eefa9516f91bce87e71165145b02b0
SHA25687e3ff52b3ac7afe3a9d1641c58a9ed2633a0a02a99399ad4365bb2c5bea6af0
SHA51268a6b176b3a79fb41d5f320435216ce5f7b010f8a8f90f20864d26fe8ccee564f75c422d30e307732ed17f0fcf7e3d72898320fe3f015975b19d72621e6a6a81
-
Filesize
245B
MD5451222f3f3315acc1007a54c0f5ef594
SHA11f8e75cfb3649a509c12d1b52cd7ba4d2bd15f7b
SHA256209a1e67f051b78cbd8d8a112580f748d28f793d855ccfbacca788576484ea06
SHA512841bc64143ba7310142c6511877cd250784bb46aa35f5bec0221ba20a106089e7934d5b295a5ad2d44671ec1e894aee69013508040c767e2b2ad13c713d64b29
-
Filesize
245B
MD5c79bc93fe01ce6c652128395e200bf32
SHA1dcf1dd1c50cbdf6819a560694bbd8da88aceddca
SHA256a300beb94bce8649fa9c9aa6194270b08d6d0f4d97fd146bbf0ae2436aa29ad1
SHA512c84114be94d335a09b7bbe4e23a2320e72c0abfd3cb30567c53034352702a118d15b020db7bd3e2c64b74b72e70f1b5006864038cdec3d50d9dffd565c0bc980
-
Filesize
245B
MD5fa2b273850401813930c9261eef0f3cc
SHA1d3808ccbf2ccd76f6b39e6913f2506e1f06bfa2e
SHA256602216e3d0bc4e384ec2c3a0b4befa92338870ebab75a674b7d9b0a9d5767d18
SHA512831a6fc778d0c77808730403c9ad639f80fb4df0a53af1ce6e4998673e3c09568d6eba25601efb7aabaefa56c372b5d8a1acef24f13061ee5f936098f600efdd
-
Filesize
245B
MD59b986238f518c786172ca4f9509706ff
SHA18095cf64fcee2b63bef82d48a1d9d461112c086d
SHA256f5c9ac4f4b10b7fdb511410ae9a5ccbc60f667f09ad176fba684ec50d4f71c98
SHA5125aa5ddd7806561c28b02978fc7d40afcb3d699e4c3d6da6437abbca6f19f21c9151dfb5b250e27afa1def08f1034df7db71a87cb1363bf73d7ff3e75f2b56f59
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
245B
MD5a91e5ff3454218d8a14c16ae40d1f12d
SHA1fcc5b98a5ba79b08874eb5cca8b76d3fbb4f5d92
SHA256f2a1d0cdbfe00b746c5787b727713162c1df83db1ebdbc34cad1beb424782062
SHA51276457e8ee66cc323ab0de6c6cd9a23b43281d5654f162e811629ff8d94e2fa77d46a94a1a39de5929be1f6dfb613133788127e065e30303f6ea5ccef5c855fad
-
Filesize
245B
MD52338488e63b91762339742cc976b0add
SHA1c7f5c21a50695eb405512549e888d06b2a4d13c5
SHA256598bf07ad6a75fc896d50cd5c4206b696a53698f9b1336a7e60fc0ceb6367079
SHA51235b02053eb354d8e32421cec71700d37c504c2416ef98273a7586f2756d8c72a12c6af9036ea415a4a47f35b2c67684f78274e52d1df7cf50fcdcfa9a9c655eb
-
Filesize
199B
MD544effefd8eee00b7c156043475d582e7
SHA12ffcd3ad5f495fb74592fa4c9f0b4c190c10518e
SHA2561376916be8e51165ec9ed6e37064d0a0e30bec098fb2556a6fdc0b4c503fe2d2
SHA512595484781fbf4a299f708d46e562030337887bb2616ea4fa3a50deea9c2effc60060364823ab14bb7cef95ecd7c7458ac50eabaacdb08fbc13bc185c3113af5e
-
Filesize
245B
MD51b998e2c82d7e939e095d63b54459335
SHA1b5fcef6c1db4654d4c877c86ed6da1f5bcbf22e0
SHA25693a8f72d778d97b56ac097ab70c535997a56f429c8099df8fc30624f172ebdd8
SHA512a7501b70a0d66771370e1f750bf83a7b35233cefc3b11d406178f36ddbb720a7936d40faba23f65ee1d7969d3f35e76d0c16ce8e14d9fc85313fa231d1945e3e
-
Filesize
245B
MD5011d05f9b642264b41de6c1d5aa78338
SHA17bd8ded52d2354e218e493ba77fcda2c748ab650
SHA256b4a1f9a458d8a541122472c385e52c9eef0520b3adfca9d1f50d02f899281729
SHA5126a96d87640ac412cd868189a6b0a9fdac2b3df167d836b523889b1033e899410f4152d62519198d509b1bc89a6bb3c9593bc844e2535be00480b0e9f483ed4bf
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478