Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 01:02
Behavioral task
behavioral1
Sample
JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe
-
Size
1.3MB
-
MD5
64cae7d041c959ee7545970d9622c85c
-
SHA1
1cf9db970ac32d19cd3db570ac42739ec3589549
-
SHA256
6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8
-
SHA512
4bcf5b15c5213bfc07b19045bcd30c690910f8c1db458bfc284c7b48b055c43be57788409ca83b29cf1c728d5b3c62e0d40b07d30a64b21b6be2805d448c5651
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3660 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3188 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3792 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3908 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 456 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3644 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 340 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3352 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 4564 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 4564 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000a000000023b82-9.dat dcrat behavioral2/memory/3516-13-0x0000000000A60000-0x0000000000B70000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5000 powershell.exe 4424 powershell.exe 4596 powershell.exe 5064 powershell.exe 816 powershell.exe 2388 powershell.exe 3956 powershell.exe 2180 powershell.exe 2360 powershell.exe 4932 powershell.exe 3132 powershell.exe 3296 powershell.exe 4604 powershell.exe 4648 powershell.exe 1484 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation upfc.exe -
Executes dropped EXE 14 IoCs
pid Process 3516 DllCommonsvc.exe 2716 DllCommonsvc.exe 4320 upfc.exe 3292 upfc.exe 4176 upfc.exe 3944 upfc.exe 3688 upfc.exe 2688 upfc.exe 4384 upfc.exe 372 upfc.exe 4936 upfc.exe 5000 upfc.exe 1724 upfc.exe 3120 upfc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 40 raw.githubusercontent.com 43 raw.githubusercontent.com 48 raw.githubusercontent.com 50 raw.githubusercontent.com 20 raw.githubusercontent.com 36 raw.githubusercontent.com 37 raw.githubusercontent.com 47 raw.githubusercontent.com 49 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 41 raw.githubusercontent.com -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\dwm.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\e6c9b481da804f DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\5b884080fd4f94 DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\56085415360792 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\6cb0b6c459d5d3 DllCommonsvc.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\fr-FR\29c1c3cc0f7685 DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\taskhostw.exe DllCommonsvc.exe File created C:\Windows\Containers\serviced\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\IdentityCRL\INT\sppsvc.exe DllCommonsvc.exe File created C:\Windows\IdentityCRL\INT\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Windows\diagnostics\scheduled\Maintenance\StartMenuExperienceHost.exe DllCommonsvc.exe File created C:\Windows\fr-FR\unsecapp.exe DllCommonsvc.exe File created C:\Windows\Containers\serviced\spoolsv.exe DllCommonsvc.exe File opened for modification C:\Windows\Containers\serviced\spoolsv.exe DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\ea9f0e6c9e2dcd DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings upfc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3352 schtasks.exe 4588 schtasks.exe 4828 schtasks.exe 3460 schtasks.exe 1960 schtasks.exe 820 schtasks.exe 4076 schtasks.exe 1996 schtasks.exe 3712 schtasks.exe 3188 schtasks.exe 3908 schtasks.exe 1008 schtasks.exe 4420 schtasks.exe 2860 schtasks.exe 1784 schtasks.exe 2924 schtasks.exe 3004 schtasks.exe 3792 schtasks.exe 4808 schtasks.exe 2172 schtasks.exe 2488 schtasks.exe 456 schtasks.exe 1912 schtasks.exe 3592 schtasks.exe 5100 schtasks.exe 1144 schtasks.exe 3644 schtasks.exe 3320 schtasks.exe 340 schtasks.exe 1480 schtasks.exe 2476 schtasks.exe 1916 schtasks.exe 1572 schtasks.exe 1100 schtasks.exe 1720 schtasks.exe 1896 schtasks.exe 3660 schtasks.exe 4328 schtasks.exe 4260 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3516 DllCommonsvc.exe 2180 powershell.exe 2180 powershell.exe 4424 powershell.exe 1484 powershell.exe 4424 powershell.exe 1484 powershell.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2388 powershell.exe 2388 powershell.exe 2360 powershell.exe 2360 powershell.exe 816 powershell.exe 816 powershell.exe 4596 powershell.exe 4596 powershell.exe 3296 powershell.exe 3296 powershell.exe 4932 powershell.exe 4932 powershell.exe 4648 powershell.exe 4648 powershell.exe 5064 powershell.exe 5064 powershell.exe 3132 powershell.exe 3132 powershell.exe 5000 powershell.exe 5000 powershell.exe 4604 powershell.exe 4604 powershell.exe 3956 powershell.exe 3956 powershell.exe 3296 powershell.exe 4648 powershell.exe 816 powershell.exe 2360 powershell.exe 2388 powershell.exe 4932 powershell.exe 5000 powershell.exe 5064 powershell.exe 3132 powershell.exe 4596 powershell.exe 4604 powershell.exe 3956 powershell.exe 4320 upfc.exe 3292 upfc.exe 4176 upfc.exe 3944 upfc.exe 3688 upfc.exe 2688 upfc.exe 4384 upfc.exe 372 upfc.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 3516 DllCommonsvc.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 4424 powershell.exe Token: SeDebugPrivilege 2716 DllCommonsvc.exe Token: SeDebugPrivilege 4648 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 3296 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeDebugPrivilege 816 powershell.exe Token: SeDebugPrivilege 4932 powershell.exe Token: SeDebugPrivilege 5064 powershell.exe Token: SeDebugPrivilege 3132 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 4604 powershell.exe Token: SeDebugPrivilege 3956 powershell.exe Token: SeDebugPrivilege 4320 upfc.exe Token: SeDebugPrivilege 3292 upfc.exe Token: SeDebugPrivilege 4176 upfc.exe Token: SeDebugPrivilege 3944 upfc.exe Token: SeDebugPrivilege 3688 upfc.exe Token: SeDebugPrivilege 2688 upfc.exe Token: SeDebugPrivilege 4384 upfc.exe Token: SeDebugPrivilege 372 upfc.exe Token: SeDebugPrivilege 4936 upfc.exe Token: SeDebugPrivilege 5000 upfc.exe Token: SeDebugPrivilege 1724 upfc.exe Token: SeDebugPrivilege 3120 upfc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 972 wrote to memory of 5064 972 JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe 82 PID 972 wrote to memory of 5064 972 JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe 82 PID 972 wrote to memory of 5064 972 JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe 82 PID 5064 wrote to memory of 2352 5064 WScript.exe 83 PID 5064 wrote to memory of 2352 5064 WScript.exe 83 PID 5064 wrote to memory of 2352 5064 WScript.exe 83 PID 2352 wrote to memory of 3516 2352 cmd.exe 85 PID 2352 wrote to memory of 3516 2352 cmd.exe 85 PID 3516 wrote to memory of 4424 3516 DllCommonsvc.exe 93 PID 3516 wrote to memory of 4424 3516 DllCommonsvc.exe 93 PID 3516 wrote to memory of 1484 3516 DllCommonsvc.exe 94 PID 3516 wrote to memory of 1484 3516 DllCommonsvc.exe 94 PID 3516 wrote to memory of 2180 3516 DllCommonsvc.exe 95 PID 3516 wrote to memory of 2180 3516 DllCommonsvc.exe 95 PID 3516 wrote to memory of 2544 3516 DllCommonsvc.exe 99 PID 3516 wrote to memory of 2544 3516 DllCommonsvc.exe 99 PID 2544 wrote to memory of 4892 2544 cmd.exe 101 PID 2544 wrote to memory of 4892 2544 cmd.exe 101 PID 2544 wrote to memory of 2716 2544 cmd.exe 105 PID 2544 wrote to memory of 2716 2544 cmd.exe 105 PID 2716 wrote to memory of 2360 2716 DllCommonsvc.exe 139 PID 2716 wrote to memory of 2360 2716 DllCommonsvc.exe 139 PID 2716 wrote to memory of 5064 2716 DllCommonsvc.exe 140 PID 2716 wrote to memory of 5064 2716 DllCommonsvc.exe 140 PID 2716 wrote to memory of 5000 2716 DllCommonsvc.exe 141 PID 2716 wrote to memory of 5000 2716 DllCommonsvc.exe 141 PID 2716 wrote to memory of 816 2716 DllCommonsvc.exe 142 PID 2716 wrote to memory of 816 2716 DllCommonsvc.exe 142 PID 2716 wrote to memory of 4932 2716 DllCommonsvc.exe 143 PID 2716 wrote to memory of 4932 2716 DllCommonsvc.exe 143 PID 2716 wrote to memory of 3132 2716 DllCommonsvc.exe 144 PID 2716 wrote to memory of 3132 2716 DllCommonsvc.exe 144 PID 2716 wrote to memory of 3296 2716 DllCommonsvc.exe 145 PID 2716 wrote to memory of 3296 2716 DllCommonsvc.exe 145 PID 2716 wrote to memory of 2388 2716 DllCommonsvc.exe 146 PID 2716 wrote to memory of 2388 2716 DllCommonsvc.exe 146 PID 2716 wrote to memory of 4596 2716 DllCommonsvc.exe 147 PID 2716 wrote to memory of 4596 2716 DllCommonsvc.exe 147 PID 2716 wrote to memory of 4604 2716 DllCommonsvc.exe 148 PID 2716 wrote to memory of 4604 2716 DllCommonsvc.exe 148 PID 2716 wrote to memory of 3956 2716 DllCommonsvc.exe 149 PID 2716 wrote to memory of 3956 2716 DllCommonsvc.exe 149 PID 2716 wrote to memory of 4648 2716 DllCommonsvc.exe 150 PID 2716 wrote to memory of 4648 2716 DllCommonsvc.exe 150 PID 2716 wrote to memory of 5020 2716 DllCommonsvc.exe 163 PID 2716 wrote to memory of 5020 2716 DllCommonsvc.exe 163 PID 5020 wrote to memory of 1152 5020 cmd.exe 166 PID 5020 wrote to memory of 1152 5020 cmd.exe 166 PID 5020 wrote to memory of 4320 5020 cmd.exe 169 PID 5020 wrote to memory of 4320 5020 cmd.exe 169 PID 4320 wrote to memory of 4656 4320 upfc.exe 170 PID 4320 wrote to memory of 4656 4320 upfc.exe 170 PID 4656 wrote to memory of 1800 4656 cmd.exe 172 PID 4656 wrote to memory of 1800 4656 cmd.exe 172 PID 4656 wrote to memory of 3292 4656 cmd.exe 173 PID 4656 wrote to memory of 3292 4656 cmd.exe 173 PID 3292 wrote to memory of 3172 3292 upfc.exe 174 PID 3292 wrote to memory of 3172 3292 upfc.exe 174 PID 3172 wrote to memory of 2308 3172 cmd.exe 176 PID 3172 wrote to memory of 2308 3172 cmd.exe 176 PID 3172 wrote to memory of 4176 3172 cmd.exe 179 PID 3172 wrote to memory of 4176 3172 cmd.exe 179 PID 4176 wrote to memory of 1048 4176 upfc.exe 180 PID 4176 wrote to memory of 1048 4176 upfc.exe 180 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\acwGy9TwLI.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4892
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\spoolsv.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\INT\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\unsecapp.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\upfc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\taskhostw.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.371\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQLJKLgDif.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1152
-
-
C:\Users\Admin\Templates\upfc.exe"C:\Users\Admin\Templates\upfc.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1800
-
-
C:\Users\Admin\Templates\upfc.exe"C:\Users\Admin\Templates\upfc.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2308
-
-
C:\Users\Admin\Templates\upfc.exe"C:\Users\Admin\Templates\upfc.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"13⤵PID:1048
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:4432
-
-
C:\Users\Admin\Templates\upfc.exe"C:\Users\Admin\Templates\upfc.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"15⤵PID:3596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:4776
-
-
C:\Users\Admin\Templates\upfc.exe"C:\Users\Admin\Templates\upfc.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat"17⤵PID:4588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2316
-
-
C:\Users\Admin\Templates\upfc.exe"C:\Users\Admin\Templates\upfc.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"19⤵PID:4248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2876
-
-
C:\Users\Admin\Templates\upfc.exe"C:\Users\Admin\Templates\upfc.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"21⤵PID:2304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:3196
-
-
C:\Users\Admin\Templates\upfc.exe"C:\Users\Admin\Templates\upfc.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"23⤵PID:3292
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:4996
-
-
C:\Users\Admin\Templates\upfc.exe"C:\Users\Admin\Templates\upfc.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"25⤵PID:2584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1804
-
-
C:\Users\Admin\Templates\upfc.exe"C:\Users\Admin\Templates\upfc.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"27⤵PID:2112
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:3228
-
-
C:\Users\Admin\Templates\upfc.exe"C:\Users\Admin\Templates\upfc.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"29⤵PID:3688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:2008
-
-
C:\Users\Admin\Templates\upfc.exe"C:\Users\Admin\Templates\upfc.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Containers\serviced\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Containers\serviced\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\IdentityCRL\INT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\IdentityCRL\INT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Templates\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Templates\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD59078a011b49db705765cff4b845368b0
SHA1533576940a2780b894e1ae46b17d2f4224051b77
SHA256c89240e395a581db1b44d204e2bcbd5b0e7f636ac72585d8257e6b901f5a3615
SHA51248e0896fc4818bb7e3f250c5cad70d5e4ce71d3f6a8d2d17d8becc36050c1de2a270fde8dea5bb3462f1e7f5eaf074053390934f26d0186113215a1c4e92dd1e
-
Filesize
944B
MD563aec5618613b4be6bd15b82345a971e
SHA1cf3df18b2ed2b082a513dd53e55afb720cefe40e
SHA256f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721
SHA512a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033
-
Filesize
944B
MD53bdf0f0bc4de32a6f32ecb8a32ba5df1
SHA1900c6a905984e5e16f3efe01ce2b2cc725fc64f1
SHA256c893092af552e973c44e0596d1509605a393896a0c1eae64f11456dc956ba40e
SHA512680d8f42fd4cb1fffa52e1f7cc483e8afc79c8f3e25ebfe5324c7c277d88499cc58324313599e307e47ba3ee4004de7554192203413cb061a29170cd9bc889c3
-
Filesize
944B
MD5f6b3d4e1d55a23aa90f349b5ab1c09fc
SHA1dba3c70c207a178d683259de384d1901f54584c9
SHA256218a5897b7018b9a15c3a7bad4b4342225f109337c69478fd3515511533eab43
SHA512729cf1c583f559d5e4658b304bac8f748e6cb28d4f21a587015d12e0608ceb2f265b89925ab568f2a424b4b681dddafda911bd0af975cccb4d360520e7d6c311
-
Filesize
944B
MD566c1af19164d3b08179f388a26c2bde9
SHA1599bb2101a033126bc82001419b94a3467fe86f2
SHA25648950437c36bb693eae5049f0eef84824d76169e0cd736590b401b0713be3b30
SHA5125b575918813e354824c07ac91ea7c1fb121d903065d1f2cab92393ae215825b1392c50f8658a5c482c6a1fdd9922b1f29f9f34fe53a584169285cbe0ea10a17b
-
Filesize
944B
MD5705e397ba2c670b0b9fcebdd31e0feea
SHA18566fe7e0903b7495e659ba0588b72e3ce538c3b
SHA256ae5d0de2ba6fe534bf67dcdbbfd71cf3f8c26f3d6ec852d73362d274a242732f
SHA512a2914a193cbea13119567199082c52eebe67719c80bc056b3820c6a4b2e8cf8c7ecd3e38975f6ffc616b171ab722a6664f44f65496fdaf114615c1bbdf98306c
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
198B
MD502bba37c51ac364c41d13a8561647808
SHA1ac882e909992054d245626af05556274f643b61a
SHA25617e1593cf23412a9e16f725aef53a28582a449dbf6135bc5ff0b9d0b180bf77a
SHA5124e87029a13e12d991cd67c07d533f240508543b673e2f88848afb0917efb1d46ebcaa468f76e8582398bee4bb4cc7f31399d3c3e6bc4cbee6153ad1310a1d06d
-
Filesize
198B
MD57ae673a212108e10140af173f61ff012
SHA1b6fe486ea95b3de5a2ee786e23f0ea790a04473f
SHA256165ba09841ad6670b273f0cff507a7f2296fd92138cd09c055ecb91a4c05f880
SHA512d703fc2527dcca0dfbe2b19026cbfb05c51885514018e01889694b3e947fd923a9908adb310a42ea8107329e4f145f5066bdfc86d4193fce7ec35f5996f81031
-
Filesize
198B
MD55ffebd91aa1cf3dbf0d49f59d58941e6
SHA18fa68c9082e936a09b2b61625c48771ba6e8952c
SHA256f58d7ea5615d556821925a6e74e4adc5e1e1eee38b33078e31c5d7db0558e355
SHA512ebce278c5a1fa822b00852592ec7485a3407b92e41d29c8f5bfa80f02574fbd0f2d5165b57875e869cfbb642f52e3d7635e425c9bd9f15f864f6d635ff4df75d
-
Filesize
198B
MD59a053a28f3af1859af3fad27c1a060ee
SHA11a486c8cd542407a17ee4ae737ed7e8edc6059f4
SHA256d803e5e47f280d48a19d3fc5153505355b86f3b53147eefb65cf4044da50a279
SHA512d60a2131a5493160efa1490fd46e7bc5b93336efa45e3e9850619457df86d90dd0b6d790e4ba95038cf5e627def6896ebd02e77e54c2cd05b1baeae3b65005fd
-
Filesize
198B
MD5990d6819939e15badcd7e4993f4724c1
SHA130ae87a6166d743846a9ac80928ca29a859683c7
SHA256523cec64d63df91d47b3bf45363a872fa0590e287bf03ed58c3821fde2d99396
SHA512ee2e7dd2186e3aaad2d758a75b688e8c8179668f5dae4941c6fa4be80adee581c64a488f0aec14be9982d8e597526a90a506b8f0fce049968d7a016801c430fa
-
Filesize
198B
MD5a605ac163cdf844a8e7ec76cfff4ea08
SHA1590a0ecb98d6995c783976d567250ccf4e96eb3a
SHA256a38957d3accb4b906332b42529c2dd8c24cf67301906171c74f2f41a0ddb7c73
SHA5126810fd7fa222d5305574ea93e8ccea7260370d12454c9c52e791f68a8bc60a6763bcfea995dfb16e7ea8c2af559a49b8afebfee440c9690f09a39fbab4ddc354
-
Filesize
198B
MD5517ee5214aa6f20a91e60380b52d840c
SHA17270d008b9849495c78a03a186dfa4406f586b7d
SHA25691ca12bee3fd2c02a6f27c785619dce1ce6406798c92db319c4bcf5b77681f7d
SHA5124a74aaa31871ad3312bf7c6defd14238a3452ccc09f2371e5ced6a0105e53513c8a3dc4273fff84109d3f1ae2b9309da8095cb8d645f808b26c01872b1e23b46
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
199B
MD57ab4e3b493667ed7ce34be3086383e62
SHA1f5180490aa0b2de597e6adfbd40c776f336a8462
SHA25691dad9daa45fae5cf480b25b06016f9386daa439c07b596e61df1e308a78d6d1
SHA51225cb625ee138ce1e8d9bb20f386f134bcc3e56fbc8032d601be71e49699f86a77ee785496f0974ebacbe7a78aec99fe748f7a1a5b5691292e29f9b0a6d6ed196
-
Filesize
198B
MD5134dd03ffe421bbb708555ff250e76e0
SHA18acdbdaa2938994d74d2a549741151e2493f1992
SHA2560d0dfa9976254457debc235c3cfdd254929ec701481775df4dd1b1a6fefc926a
SHA5125393e0cbd2f727c921cd91bdef36f3b03417ebb6ea8273514eee4b31f5f9d0576c0334bc6b7ac47e65d21035041a153398c1180f89c08f63f8dee184e91a517e
-
Filesize
198B
MD55c7e91ab22aa37cbc920d3ba1d2127fd
SHA12b85a38ee2a421a9c473fb50fe0585ac68123ef9
SHA2563ecafa389d4c7216a5b6f110e69993a9e85a9fd0148ad1d7923bf8175b28bb58
SHA5122a2682e59a592d199e02fd187210bdc7d7eae5e41641342e7b1b7d34cb76d62ef35f6d33f71a392d00caa0c270139c08882133d0b3627f4294a3b355c553ab59
-
Filesize
198B
MD59428216f55103827db5f16018ac0b84e
SHA1cfdf9e22ed61fb29b9ea2d1ba4ca28b8d23f2a2f
SHA256511fc5b7dad6d0cfcf39670b046f6f7d9f9613c2fe739067862c525bd2a44715
SHA512c0a586780e91f58e471594415401457d5985a64537fafd1b88b7de0742c45387adb7c5cd3ac66a0c5b3eb73a409a24b9e5ba4faab2a325a987bcf6748ff98f9a
-
Filesize
198B
MD514a5943f512cbe48810927493c218c59
SHA12d1fc60226c00e4ae9edad1823fcfa907f74d0ec
SHA256d3ebd03e8cb863c991d67bd6168fa8be797539aed10330afdb83d2908ceb1df9
SHA512c01ec6e0e4451e4c8fe107334411825388ef0b2571991b83cff127ccb240577863c141fdeb041ea12179988c9c9adc1ed61feb06f57212e4f8022d1ef5983d11
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478