Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 19:32
Behavioral task
behavioral1
Sample
JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe
-
Size
1.3MB
-
MD5
473c79035b4b089582a4efe505da8bb6
-
SHA1
fa5e5d0ac359e3a3f310802f09620e79d2334a17
-
SHA256
749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe
-
SHA512
e200cb72e0aaa27b8981ac5932cfeb655b289eaf8f0b99cdb38b78fdd05bb3fa2ef2f23ddc267e3b7225a3842692e8a696977317766d4f76612531f375a79426
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4652 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4528 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4684 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4000 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 528 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4396 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4732 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3328 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4112 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3928 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4436 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 64 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3892 3592 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 3592 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0007000000023ca1-10.dat dcrat behavioral2/memory/984-13-0x0000000000740000-0x0000000000850000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4484 powershell.exe 2804 powershell.exe 1824 powershell.exe 2580 powershell.exe 4408 powershell.exe 2380 powershell.exe 2204 powershell.exe 4836 powershell.exe 1476 powershell.exe 2396 powershell.exe 1464 powershell.exe 2268 powershell.exe 1844 powershell.exe 4792 powershell.exe 2812 powershell.exe 3320 powershell.exe 2716 powershell.exe 4008 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TextInputHost.exe -
Executes dropped EXE 14 IoCs
pid Process 984 DllCommonsvc.exe 3464 TextInputHost.exe 1252 TextInputHost.exe 2100 TextInputHost.exe 588 TextInputHost.exe 4312 TextInputHost.exe 2004 TextInputHost.exe 2240 TextInputHost.exe 5688 TextInputHost.exe 6068 TextInputHost.exe 2788 TextInputHost.exe 5308 TextInputHost.exe 4572 TextInputHost.exe 2452 TextInputHost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 38 raw.githubusercontent.com 41 raw.githubusercontent.com 50 raw.githubusercontent.com 52 raw.githubusercontent.com 53 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 42 raw.githubusercontent.com 43 raw.githubusercontent.com 48 raw.githubusercontent.com 51 raw.githubusercontent.com 17 raw.githubusercontent.com 37 raw.githubusercontent.com -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Skins\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Skins\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\e6c9b481da804f DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\22eafd247d37c3 DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\INF\ESENT\cmd.exe DllCommonsvc.exe File created C:\Windows\INF\ESENT\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\Logs\NetSetup\System.exe DllCommonsvc.exe File created C:\Windows\Logs\NetSetup\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\uk-UA\System.exe DllCommonsvc.exe File created C:\Windows\uk-UA\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\LanguageOverlayCache\lsass.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings TextInputHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5048 schtasks.exe 4652 schtasks.exe 4000 schtasks.exe 4396 schtasks.exe 4684 schtasks.exe 3496 schtasks.exe 2748 schtasks.exe 1620 schtasks.exe 1444 schtasks.exe 776 schtasks.exe 4528 schtasks.exe 528 schtasks.exe 2108 schtasks.exe 1276 schtasks.exe 4912 schtasks.exe 5028 schtasks.exe 3020 schtasks.exe 3860 schtasks.exe 5104 schtasks.exe 1436 schtasks.exe 4812 schtasks.exe 1688 schtasks.exe 4360 schtasks.exe 1916 schtasks.exe 3892 schtasks.exe 1820 schtasks.exe 1616 schtasks.exe 2776 schtasks.exe 1068 schtasks.exe 2820 schtasks.exe 1724 schtasks.exe 4440 schtasks.exe 2896 schtasks.exe 1908 schtasks.exe 2368 schtasks.exe 2088 schtasks.exe 2316 schtasks.exe 4436 schtasks.exe 64 schtasks.exe 1804 schtasks.exe 4112 schtasks.exe 4544 schtasks.exe 2856 schtasks.exe 2364 schtasks.exe 4732 schtasks.exe 2148 schtasks.exe 3328 schtasks.exe 3928 schtasks.exe 2356 schtasks.exe 4184 schtasks.exe 1816 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 984 DllCommonsvc.exe 984 DllCommonsvc.exe 984 DllCommonsvc.exe 984 DllCommonsvc.exe 984 DllCommonsvc.exe 984 DllCommonsvc.exe 984 DllCommonsvc.exe 984 DllCommonsvc.exe 984 DllCommonsvc.exe 984 DllCommonsvc.exe 984 DllCommonsvc.exe 984 DllCommonsvc.exe 984 DllCommonsvc.exe 2204 powershell.exe 2204 powershell.exe 2580 powershell.exe 2580 powershell.exe 1824 powershell.exe 1824 powershell.exe 4792 powershell.exe 4792 powershell.exe 4836 powershell.exe 4836 powershell.exe 2716 powershell.exe 2716 powershell.exe 4484 powershell.exe 4484 powershell.exe 1476 powershell.exe 1476 powershell.exe 3320 powershell.exe 3320 powershell.exe 4408 powershell.exe 4408 powershell.exe 4008 powershell.exe 4008 powershell.exe 1464 powershell.exe 1464 powershell.exe 2804 powershell.exe 2804 powershell.exe 2268 powershell.exe 2268 powershell.exe 2380 powershell.exe 2380 powershell.exe 2396 powershell.exe 2396 powershell.exe 2812 powershell.exe 2812 powershell.exe 1844 powershell.exe 1844 powershell.exe 3464 TextInputHost.exe 3464 TextInputHost.exe 2812 powershell.exe 2580 powershell.exe 4836 powershell.exe 2580 powershell.exe 1824 powershell.exe 2204 powershell.exe 2204 powershell.exe 4792 powershell.exe 2716 powershell.exe 1476 powershell.exe 3320 powershell.exe 2268 powershell.exe 1464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 984 DllCommonsvc.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 4792 powershell.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 4484 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 3320 powershell.exe Token: SeDebugPrivilege 4408 powershell.exe Token: SeDebugPrivilege 4008 powershell.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 3464 TextInputHost.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 1252 TextInputHost.exe Token: SeDebugPrivilege 2100 TextInputHost.exe Token: SeDebugPrivilege 588 TextInputHost.exe Token: SeDebugPrivilege 4312 TextInputHost.exe Token: SeDebugPrivilege 2004 TextInputHost.exe Token: SeDebugPrivilege 2240 TextInputHost.exe Token: SeDebugPrivilege 5688 TextInputHost.exe Token: SeDebugPrivilege 6068 TextInputHost.exe Token: SeDebugPrivilege 2788 TextInputHost.exe Token: SeDebugPrivilege 5308 TextInputHost.exe Token: SeDebugPrivilege 4572 TextInputHost.exe Token: SeDebugPrivilege 2452 TextInputHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3304 wrote to memory of 3464 3304 JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe 83 PID 3304 wrote to memory of 3464 3304 JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe 83 PID 3304 wrote to memory of 3464 3304 JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe 83 PID 3464 wrote to memory of 1556 3464 WScript.exe 85 PID 3464 wrote to memory of 1556 3464 WScript.exe 85 PID 3464 wrote to memory of 1556 3464 WScript.exe 85 PID 1556 wrote to memory of 984 1556 cmd.exe 87 PID 1556 wrote to memory of 984 1556 cmd.exe 87 PID 984 wrote to memory of 1844 984 DllCommonsvc.exe 141 PID 984 wrote to memory of 1844 984 DllCommonsvc.exe 141 PID 984 wrote to memory of 2380 984 DllCommonsvc.exe 142 PID 984 wrote to memory of 2380 984 DllCommonsvc.exe 142 PID 984 wrote to memory of 4792 984 DllCommonsvc.exe 143 PID 984 wrote to memory of 4792 984 DllCommonsvc.exe 143 PID 984 wrote to memory of 4484 984 DllCommonsvc.exe 144 PID 984 wrote to memory of 4484 984 DllCommonsvc.exe 144 PID 984 wrote to memory of 2204 984 DllCommonsvc.exe 146 PID 984 wrote to memory of 2204 984 DllCommonsvc.exe 146 PID 984 wrote to memory of 2812 984 DllCommonsvc.exe 147 PID 984 wrote to memory of 2812 984 DllCommonsvc.exe 147 PID 984 wrote to memory of 4836 984 DllCommonsvc.exe 148 PID 984 wrote to memory of 4836 984 DllCommonsvc.exe 148 PID 984 wrote to memory of 1476 984 DllCommonsvc.exe 149 PID 984 wrote to memory of 1476 984 DllCommonsvc.exe 149 PID 984 wrote to memory of 2268 984 DllCommonsvc.exe 150 PID 984 wrote to memory of 2268 984 DllCommonsvc.exe 150 PID 984 wrote to memory of 4008 984 DllCommonsvc.exe 157 PID 984 wrote to memory of 4008 984 DllCommonsvc.exe 157 PID 984 wrote to memory of 4408 984 DllCommonsvc.exe 158 PID 984 wrote to memory of 4408 984 DllCommonsvc.exe 158 PID 984 wrote to memory of 1464 984 DllCommonsvc.exe 159 PID 984 wrote to memory of 1464 984 DllCommonsvc.exe 159 PID 984 wrote to memory of 2580 984 DllCommonsvc.exe 160 PID 984 wrote to memory of 2580 984 DllCommonsvc.exe 160 PID 984 wrote to memory of 2396 984 DllCommonsvc.exe 161 PID 984 wrote to memory of 2396 984 DllCommonsvc.exe 161 PID 984 wrote to memory of 3320 984 DllCommonsvc.exe 162 PID 984 wrote to memory of 3320 984 DllCommonsvc.exe 162 PID 984 wrote to memory of 1824 984 DllCommonsvc.exe 163 PID 984 wrote to memory of 1824 984 DllCommonsvc.exe 163 PID 984 wrote to memory of 2716 984 DllCommonsvc.exe 164 PID 984 wrote to memory of 2716 984 DllCommonsvc.exe 164 PID 984 wrote to memory of 2804 984 DllCommonsvc.exe 165 PID 984 wrote to memory of 2804 984 DllCommonsvc.exe 165 PID 984 wrote to memory of 3464 984 DllCommonsvc.exe 176 PID 984 wrote to memory of 3464 984 DllCommonsvc.exe 176 PID 3464 wrote to memory of 5780 3464 TextInputHost.exe 184 PID 3464 wrote to memory of 5780 3464 TextInputHost.exe 184 PID 5780 wrote to memory of 5848 5780 cmd.exe 186 PID 5780 wrote to memory of 5848 5780 cmd.exe 186 PID 5780 wrote to memory of 1252 5780 cmd.exe 194 PID 5780 wrote to memory of 1252 5780 cmd.exe 194 PID 1252 wrote to memory of 4912 1252 TextInputHost.exe 196 PID 1252 wrote to memory of 4912 1252 TextInputHost.exe 196 PID 4912 wrote to memory of 1344 4912 cmd.exe 198 PID 4912 wrote to memory of 1344 4912 cmd.exe 198 PID 4912 wrote to memory of 2100 4912 cmd.exe 202 PID 4912 wrote to memory of 2100 4912 cmd.exe 202 PID 2100 wrote to memory of 928 2100 TextInputHost.exe 205 PID 2100 wrote to memory of 928 2100 TextInputHost.exe 205 PID 928 wrote to memory of 4140 928 cmd.exe 207 PID 928 wrote to memory of 4140 928 cmd.exe 207 PID 928 wrote to memory of 588 928 cmd.exe 209 PID 928 wrote to memory of 588 928 cmd.exe 209 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\ESENT\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\NetSetup\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Skins\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:5780 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:5848
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1344
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4140
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat"12⤵PID:560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:3656
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4312 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat"14⤵PID:3360
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3008
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"16⤵PID:3068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4080
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"18⤵PID:4700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1248
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat"20⤵PID:5728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:5868
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"22⤵PID:5456
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:6112
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"24⤵PID:3680
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3996
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"26⤵PID:3208
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:3120
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"28⤵PID:3444
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:440
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Videos\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\ESENT\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\INF\ESENT\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\INF\ESENT\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\NetSetup\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Logs\NetSetup\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\NetSetup\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\providercommon\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Skins\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Skins\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\uk-UA\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\uk-UA\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
536B
MD5fc7373e40baacb109fbfc19c82cf00f5
SHA120a0b81a823fa4dd0851635dc121309839d72069
SHA256eb98a5578c448aaf03abb8aea0fa5f03f63f29504ccea71b9c7a5df3b8419e67
SHA5123efb09ef31fdc1f298537147ed0965a988c567610c6cc2f25a621f59315dfcf1c53b158b3acf9ceae6a53edadfee54addaf510db6a1aead47f830f1e62c57aeb
-
Filesize
238B
MD5ebd6b48eb9607e02514ba794bdec6d30
SHA116d094df7d332a76f4db14ae5499242b6f3cbedf
SHA25693dbf584064ce9e863eead0f3e5bdecffa0aed1d0ba4defd0d8002ac821b6ad9
SHA5128acc3883951ab3b2d960a8c72e9b6b3da51073addea4722e3db24177e561c12089b67efafb407d0c1e7a25e61caee359368cc16277b64adb9bb3cce49ae0a006
-
Filesize
238B
MD5c1bdf828fa6bb98179af85334d364067
SHA179109c308c900bb3d1360a65e02ef2b255a11e2d
SHA256722f7435de80cc374f9f86fba9cf3b795547167e37d0329a3ad4bf3a5fac5de0
SHA51243d7a341f7f40f5ff9ab484831525ab9409b1f34a39706865e3ba685c9e1adddba79ddb70c42663df7957358fc933229fbdedb83e7c99e12c770b104d8784057
-
Filesize
238B
MD5feb6c604e78164d9ebafa378a1d3dddc
SHA17c103c0dadad0bade3c74673b6aa1c3908c36b47
SHA2562216751a7f870d8209d71d1b4a6607e9ede7e38bfb78f5a3900bf1b4d93a2005
SHA5125da04d7474f74362e20cc9f7b5f46fdcea95cdb57bf4c0478e838bab618f35f4d29705c9bdc06fe08ad0e69797520b4508eca3e15939ec29663afb359bd8cb54
-
Filesize
238B
MD515d1d92ed7932a18d7d3b39699bef3a5
SHA1217feeaff1eef89636bc3d866309249a845ddeb4
SHA256f758b3be651c4a10aa8243564811dd8e41e29d7ca333b12ae172884bb9958dd8
SHA5128c50509e41e4be183dc0c036a68accccac0bc92785fbf4fedbcc13b86d5e8441c7f079b0a836468b8ea3ff5edac463cf29014ea83ee17f114d8f10f659f1ba2c
-
Filesize
238B
MD55c120c3334e13573e8d18d96cd28e0b4
SHA11732c34fdb377fb8c0e07148acff95d9c1044c73
SHA256fb23f7a24dd1dc1a1b5153fa5e02cf3d3877246b2b1252a97496e431b8e75c23
SHA5128d9d34832a27eea1fa7c1efb7ac148961cb6b44bcb4576fa35c063cc0fd392907663aa4f07d821e3fab1294345dfe5c99f75ada1a14a6913324d0e06befbd36d
-
Filesize
238B
MD5a8d4a9d7d49d89294d845cddb4ec53ed
SHA1b44ef313a7b6564fd7b2ef25ded522f3845c7c55
SHA25656959335df2a6c20a184331692f5c2a60fb507ea1b9f0f05db20993728d84439
SHA5126480d58911d8d28a588df6c24621e848ec6a3243da37907f8cb94b38be9dc5b1163aaa0cac2a0e7cd8a9ad8a0eadfb363989a8d3ad4b2de99833b4e08a19ba54
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
238B
MD54da6969a75cbbcb595681067b8898878
SHA12f23c3ffbd28c83264dd945822fcb3807f3c222e
SHA2562a2615356a861eb67657c94c5d4f0888d8d58d44b2644880f413a0bd3e01b286
SHA512513db0c4058953b9857cc476418f01ff5e9490bc5c25ba872b66cab514298066a5aeaf4387eb5d97787c2954b608d2cb33bd2996cceb6eeb0ffd077777cd419c
-
Filesize
238B
MD5deb61ee714edf075505982bb8427f7df
SHA151740c0e53e50dd3453fd27c964d2bfbabedc9d6
SHA25631473c5fc656df5820c8e6fbd7fc7b881b5c1fd8d1cfb3b6dfef9e9461641d0e
SHA5124c12e4ff240879639e6f5659e4a0073dc67db6b5e0bb994dbceff63281faeac8acfeb570d7acd30e1b49c0cf1265a40d4fd9d8cff786ba0e5d85771d01065b0c
-
Filesize
238B
MD58cd6b253e811514399ee039bda494424
SHA113de74d4e4deb0702f3fa1142d11f81c92919119
SHA2560e801da784aca28629259e3280ca498aaf87e967a4d514ce8f17810017c0ef77
SHA512dffc68bd106d95c7afe608571077f89572fbca0e9c0aae40c52f2c0b140cac5cc7037ea38516e28baa28707341dce1ac67204c53a0d32624bc3d7d1c69334a1a
-
Filesize
238B
MD5577f8aa5a02b231505867fafe42c8021
SHA1b9bdd9d1d2775b4f5c20ee1d5dd27ed6b82c499b
SHA256cf70d2ab20b760a96a44790534ea143977e482e91b6fe7e01db840a2779e8c74
SHA51237fa6c6c1c843c7cc095b215d326b2a7fed655e675e1ce873b1c95b68e878f3f4ab6216c5c7c785be14057299d790d02f13bb069249fa156334e74936288d23e
-
Filesize
238B
MD53ee2caefb6b49ce24d1f21bcb8e8f869
SHA154b570ae3072d1cf8666ed36177a9431546aeb5a
SHA2564615abb47743f49a401187e6df8ac7da88dce05d27fc15c2eb108407e9c53fa3
SHA51260f8f28522494de19f371f29b17ec27e8c4557687a358421a34893462797b0d1077c157ee28401397f75f0e38f07e4e9d4bd892307a686e8c304c337fa4e0c95
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478