Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 22:19
Behavioral task
behavioral1
Sample
JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe
-
Size
1.3MB
-
MD5
d85f6f525a9b82318104a50c1935466d
-
SHA1
fafbe296bedb77ff61a43d9ab8b5ff691ebc2d3d
-
SHA256
b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607
-
SHA512
269dcb3e522bdca3d8e52b07fe299aa4f13d2de8e9e174785b7a89e6c0c6a556e35bececae940776295d8e7d8086d5419dd1e13d3cdc5e469815861eea2c8a25
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4644 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4012 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4064 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3904 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3620 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3772 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 1212 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 1212 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000a000000023b8b-10.dat dcrat behavioral2/memory/3908-13-0x0000000000FB0000-0x00000000010C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4592 powershell.exe 4084 powershell.exe 3172 powershell.exe 1204 powershell.exe 1512 powershell.exe 1480 powershell.exe 3464 powershell.exe 1300 powershell.exe 2588 powershell.exe 1644 powershell.exe 3604 powershell.exe 4332 powershell.exe 4772 powershell.exe 3056 powershell.exe 608 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe -
Executes dropped EXE 13 IoCs
pid Process 3908 DllCommonsvc.exe 2108 OfficeClickToRun.exe 1152 OfficeClickToRun.exe 4620 OfficeClickToRun.exe 3100 OfficeClickToRun.exe 872 OfficeClickToRun.exe 4188 OfficeClickToRun.exe 4908 OfficeClickToRun.exe 1732 OfficeClickToRun.exe 3332 OfficeClickToRun.exe 1808 OfficeClickToRun.exe 4180 OfficeClickToRun.exe 2020 OfficeClickToRun.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 30 raw.githubusercontent.com 39 raw.githubusercontent.com 40 raw.githubusercontent.com 52 raw.githubusercontent.com 17 raw.githubusercontent.com 18 raw.githubusercontent.com 38 raw.githubusercontent.com 43 raw.githubusercontent.com 44 raw.githubusercontent.com 49 raw.githubusercontent.com 50 raw.githubusercontent.com 51 raw.githubusercontent.com -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\e1ef82546f0b02 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\fr-FR\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\fr-FR\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\SppExtComObj.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\c5b4cb5e9653cc DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OfficeClickToRun.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2408 schtasks.exe 1420 schtasks.exe 3620 schtasks.exe 1624 schtasks.exe 320 schtasks.exe 4596 schtasks.exe 2512 schtasks.exe 4644 schtasks.exe 2720 schtasks.exe 4192 schtasks.exe 748 schtasks.exe 1688 schtasks.exe 2340 schtasks.exe 2708 schtasks.exe 220 schtasks.exe 2124 schtasks.exe 1196 schtasks.exe 3964 schtasks.exe 4012 schtasks.exe 4544 schtasks.exe 4140 schtasks.exe 3468 schtasks.exe 264 schtasks.exe 4548 schtasks.exe 1580 schtasks.exe 864 schtasks.exe 1412 schtasks.exe 3936 schtasks.exe 1744 schtasks.exe 1916 schtasks.exe 1408 schtasks.exe 4924 schtasks.exe 3772 schtasks.exe 1140 schtasks.exe 1272 schtasks.exe 4064 schtasks.exe 2796 schtasks.exe 1588 schtasks.exe 4184 schtasks.exe 2996 schtasks.exe 3904 schtasks.exe 1236 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3908 DllCommonsvc.exe 3908 DllCommonsvc.exe 3908 DllCommonsvc.exe 3908 DllCommonsvc.exe 3908 DllCommonsvc.exe 3908 DllCommonsvc.exe 3908 DllCommonsvc.exe 3908 DllCommonsvc.exe 3908 DllCommonsvc.exe 3908 DllCommonsvc.exe 3908 DllCommonsvc.exe 4084 powershell.exe 4084 powershell.exe 1300 powershell.exe 1300 powershell.exe 1512 powershell.exe 1512 powershell.exe 3172 powershell.exe 3172 powershell.exe 3604 powershell.exe 3604 powershell.exe 1644 powershell.exe 1644 powershell.exe 4592 powershell.exe 4592 powershell.exe 1480 powershell.exe 1480 powershell.exe 4332 powershell.exe 4332 powershell.exe 3464 powershell.exe 3464 powershell.exe 3056 powershell.exe 3056 powershell.exe 2588 powershell.exe 2588 powershell.exe 4772 powershell.exe 4772 powershell.exe 608 powershell.exe 608 powershell.exe 1204 powershell.exe 1204 powershell.exe 2108 OfficeClickToRun.exe 2108 OfficeClickToRun.exe 3056 powershell.exe 1300 powershell.exe 1512 powershell.exe 1480 powershell.exe 1644 powershell.exe 3172 powershell.exe 3604 powershell.exe 4084 powershell.exe 4592 powershell.exe 4332 powershell.exe 4772 powershell.exe 3464 powershell.exe 608 powershell.exe 2588 powershell.exe 1204 powershell.exe 1152 OfficeClickToRun.exe 4620 OfficeClickToRun.exe 3100 OfficeClickToRun.exe 872 OfficeClickToRun.exe 4188 OfficeClickToRun.exe 4908 OfficeClickToRun.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 3908 DllCommonsvc.exe Token: SeDebugPrivilege 4084 powershell.exe Token: SeDebugPrivilege 1300 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 3172 powershell.exe Token: SeDebugPrivilege 3604 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeDebugPrivilege 4592 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 4772 powershell.exe Token: SeDebugPrivilege 4332 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 3464 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 608 powershell.exe Token: SeDebugPrivilege 2108 OfficeClickToRun.exe Token: SeDebugPrivilege 1204 powershell.exe Token: SeDebugPrivilege 1152 OfficeClickToRun.exe Token: SeDebugPrivilege 4620 OfficeClickToRun.exe Token: SeDebugPrivilege 3100 OfficeClickToRun.exe Token: SeDebugPrivilege 872 OfficeClickToRun.exe Token: SeDebugPrivilege 4188 OfficeClickToRun.exe Token: SeDebugPrivilege 4908 OfficeClickToRun.exe Token: SeDebugPrivilege 1732 OfficeClickToRun.exe Token: SeDebugPrivilege 3332 OfficeClickToRun.exe Token: SeDebugPrivilege 1808 OfficeClickToRun.exe Token: SeDebugPrivilege 4180 OfficeClickToRun.exe Token: SeDebugPrivilege 2020 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5056 wrote to memory of 3460 5056 JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe 82 PID 5056 wrote to memory of 3460 5056 JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe 82 PID 5056 wrote to memory of 3460 5056 JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe 82 PID 3460 wrote to memory of 2688 3460 WScript.exe 83 PID 3460 wrote to memory of 2688 3460 WScript.exe 83 PID 3460 wrote to memory of 2688 3460 WScript.exe 83 PID 2688 wrote to memory of 3908 2688 cmd.exe 85 PID 2688 wrote to memory of 3908 2688 cmd.exe 85 PID 3908 wrote to memory of 1204 3908 DllCommonsvc.exe 129 PID 3908 wrote to memory of 1204 3908 DllCommonsvc.exe 129 PID 3908 wrote to memory of 1512 3908 DllCommonsvc.exe 130 PID 3908 wrote to memory of 1512 3908 DllCommonsvc.exe 130 PID 3908 wrote to memory of 3464 3908 DllCommonsvc.exe 131 PID 3908 wrote to memory of 3464 3908 DllCommonsvc.exe 131 PID 3908 wrote to memory of 1480 3908 DllCommonsvc.exe 132 PID 3908 wrote to memory of 1480 3908 DllCommonsvc.exe 132 PID 3908 wrote to memory of 4592 3908 DllCommonsvc.exe 133 PID 3908 wrote to memory of 4592 3908 DllCommonsvc.exe 133 PID 3908 wrote to memory of 4332 3908 DllCommonsvc.exe 134 PID 3908 wrote to memory of 4332 3908 DllCommonsvc.exe 134 PID 3908 wrote to memory of 1300 3908 DllCommonsvc.exe 135 PID 3908 wrote to memory of 1300 3908 DllCommonsvc.exe 135 PID 3908 wrote to memory of 2588 3908 DllCommonsvc.exe 136 PID 3908 wrote to memory of 2588 3908 DllCommonsvc.exe 136 PID 3908 wrote to memory of 4772 3908 DllCommonsvc.exe 137 PID 3908 wrote to memory of 4772 3908 DllCommonsvc.exe 137 PID 3908 wrote to memory of 1644 3908 DllCommonsvc.exe 138 PID 3908 wrote to memory of 1644 3908 DllCommonsvc.exe 138 PID 3908 wrote to memory of 4084 3908 DllCommonsvc.exe 139 PID 3908 wrote to memory of 4084 3908 DllCommonsvc.exe 139 PID 3908 wrote to memory of 3056 3908 DllCommonsvc.exe 140 PID 3908 wrote to memory of 3056 3908 DllCommonsvc.exe 140 PID 3908 wrote to memory of 3604 3908 DllCommonsvc.exe 141 PID 3908 wrote to memory of 3604 3908 DllCommonsvc.exe 141 PID 3908 wrote to memory of 3172 3908 DllCommonsvc.exe 142 PID 3908 wrote to memory of 3172 3908 DllCommonsvc.exe 142 PID 3908 wrote to memory of 608 3908 DllCommonsvc.exe 143 PID 3908 wrote to memory of 608 3908 DllCommonsvc.exe 143 PID 3908 wrote to memory of 2108 3908 DllCommonsvc.exe 158 PID 3908 wrote to memory of 2108 3908 DllCommonsvc.exe 158 PID 2108 wrote to memory of 3028 2108 OfficeClickToRun.exe 163 PID 2108 wrote to memory of 3028 2108 OfficeClickToRun.exe 163 PID 3028 wrote to memory of 2348 3028 cmd.exe 165 PID 3028 wrote to memory of 2348 3028 cmd.exe 165 PID 3028 wrote to memory of 1152 3028 cmd.exe 167 PID 3028 wrote to memory of 1152 3028 cmd.exe 167 PID 1152 wrote to memory of 3172 1152 OfficeClickToRun.exe 171 PID 1152 wrote to memory of 3172 1152 OfficeClickToRun.exe 171 PID 3172 wrote to memory of 3724 3172 cmd.exe 173 PID 3172 wrote to memory of 3724 3172 cmd.exe 173 PID 3172 wrote to memory of 4620 3172 cmd.exe 175 PID 3172 wrote to memory of 4620 3172 cmd.exe 175 PID 4620 wrote to memory of 3500 4620 OfficeClickToRun.exe 176 PID 4620 wrote to memory of 3500 4620 OfficeClickToRun.exe 176 PID 3500 wrote to memory of 4744 3500 cmd.exe 178 PID 3500 wrote to memory of 4744 3500 cmd.exe 178 PID 3500 wrote to memory of 3100 3500 cmd.exe 179 PID 3500 wrote to memory of 3100 3500 cmd.exe 179 PID 3100 wrote to memory of 2204 3100 OfficeClickToRun.exe 180 PID 3100 wrote to memory of 2204 3100 OfficeClickToRun.exe 180 PID 2204 wrote to memory of 4180 2204 cmd.exe 182 PID 2204 wrote to memory of 4180 2204 cmd.exe 182 PID 2204 wrote to memory of 872 2204 cmd.exe 183 PID 2204 wrote to memory of 872 2204 cmd.exe 183 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fr-FR\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2348
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3724
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4744
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oxTQ808hvM.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:4180
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"14⤵PID:4576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:4656
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"16⤵PID:1836
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1760
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat"18⤵PID:2472
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:4408
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"20⤵PID:1584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1648
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3332 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"22⤵PID:5044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1688
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"24⤵PID:3756
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3984
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"26⤵PID:2276
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4004
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Documents\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Documents\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\providercommon\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Application Data\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
207B
MD5e51a5602e245542530f323b58ab2bf2a
SHA12e82c28c95d641a3848134dd40a05f9c8b3233cc
SHA256a873c9164370f7a9fb09a68da59cd21e19f319cd601dbcea01d284403103fc31
SHA512b35d24fd6d1da3ca7e7d808fc52bbf8589eea9a8acd480368e603b5ec8dfa3b31066b9fd106bb80d173eb73de5082011ab2de5fccc5fe7b00a709813d5852a91
-
Filesize
207B
MD5d5a83ed84081c71cb41e317c1c7d32a2
SHA1e13670ba30cc2175ec45d0513154f2c4eec4bbec
SHA256d5c03ece05ad7d46ed8959e9b713f6e6a987606389148dd772485cbc3e936566
SHA512e931d26471d967f4caac219d93ac95b03fe6449c85e91da0d280ed47248e12a6417412e98765e6ef3171c6acff3f43f2c4a4f218988e0b53ec37450e7412c092
-
Filesize
207B
MD5e6c966c11117948df7165b9739719ec9
SHA17959c7a07242869baae3cff75c0e1cd5028e1120
SHA2564a62183a3acf40c0d86a1a6b9ad9175c0268f15fa94bb278fab18bc8d0b6f730
SHA512d6212011102e347084d6de7568b2daf7bfcca5a260383535e3000109a7e604b104805f626e791fb8ebc9dc8997694d86d9753ba6df2ec45ff2a1f11db26b8d8c
-
Filesize
207B
MD534d085a26b3925a7e23deaf1090d2076
SHA1a1ea0b6a1085b316f60f39f143647fc169e520e9
SHA25666433e1b62b725cfa2319a789a0c2e381afc77415d9ba7d41c24448851e4dbbf
SHA512ecd306e1e7ceb40502843f563948f84193fd2d734e63072fe89b63372aa25c2f10eee195ae20601956ad5417cbafa3ceddfefef2fd16866cb9a39d9962136f65
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
207B
MD58696ea430e523a372e11b8b0b6e418a7
SHA1399749fbe60f8174cebcb49929dba77f064d2b6e
SHA2569f7994a939331d6c2f5576c652db0604b6c3f73e83dfa2be74494e0803d5149f
SHA51207185cdffa52d0f0a6ef9f481a8c6b22627297007af089368f885595030ca1fa4753c315f2a48119aafb0450bced658abdc1ba4dd545f30a26281f911099e84b
-
Filesize
207B
MD5857b0dad83817b8789cce974a61fbed4
SHA151d57ee953dcbfb94a527099c34c814b60d184f4
SHA2563eeceb3c1ab8418fb35ead4eff905806403fda1e94cfef2c8e61065431d8bcf8
SHA512ac71c5a8419bd1df728b42b96020ab617abe57d3cd2d07658688ab2260be9ec245c7ecb58becdb07d7e3d70111c1a0a7c71cd7f001034cb89ccfd84813a6f976
-
Filesize
207B
MD5c601c10ddb536f1076db8813c2b55aaf
SHA1b6985331e3edcb45c42756148cbfb47406e24403
SHA256a73d214f45124142fdf7a9b0ac23b01d81e5672ab0f4fc143a6a8fc0fd7586dc
SHA512d0ba969bc55cb14137a73548a6ab00dde0d82c33cb0855f404cb68d3275f8a22bd34d0008445198f66850c02fec21820156ee72de114bc6380dea5fd1b9d02e1
-
Filesize
207B
MD5d1ca170840818c3830f9b668a85a94f3
SHA110af01a0e1e0125da0b8700e9c825b9158073565
SHA2569af4bf7919415a98de6330eaa5951f8589cb645a36e6cf1246cb2eaec510cfaa
SHA512588103a407d51cc3ae81db75046edcdaf0dc1f795fd008d8bda843669d7d9096a8dcbc6810df5b49c994ab0b93b94004127d242571ca27cfaf0fee11cc423c21
-
Filesize
207B
MD5fa4a5c7b5983fa40039a0f1d8cffef5f
SHA10c9b0d6c93dfd9b5ef90b9c2186991905d24afb6
SHA25663465f89eadd14f425238dccd3d8dc415eafe772d8262277a8b92a2ab294522c
SHA5122fd090f7b55d37bc8e1266bb174eac3e678e9fcea41a3ffc352d5a5199f71ee3ce5dd257a88bb77fe7a20b0adc52fcb5d917165ecdbe260e6421a1046cc763fa
-
Filesize
207B
MD523fa27014cb6ec026b06bce94bc6644b
SHA10663eb929b919adf769458e99abf5bcd39165d20
SHA2560b5f78f37b609d44875c78dd6d29084996744fdcc8570f20fc1698e70aad670b
SHA512fa95f110beee77efdb276eba2d5f5d520f099e281052ea17001390f23f6cdd3fb3495d25e5ffce5bb24dcccd2d1764d3d47f149e9c608225820f71d10ada35f0
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478