Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 06:09
Behavioral task
behavioral1
Sample
JaffaCakes118_94ac4eef7e483f211c0a03b6c93d3da6ea7081ebb8551d9fb1da4aeee4dcb2bc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_94ac4eef7e483f211c0a03b6c93d3da6ea7081ebb8551d9fb1da4aeee4dcb2bc.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_94ac4eef7e483f211c0a03b6c93d3da6ea7081ebb8551d9fb1da4aeee4dcb2bc.exe
-
Size
1.3MB
-
MD5
83e23973c9cb6f3d40d11c7ba53c2a3a
-
SHA1
17f7135d4a6f6c5c23d239684b6bf3b7efe697ba
-
SHA256
94ac4eef7e483f211c0a03b6c93d3da6ea7081ebb8551d9fb1da4aeee4dcb2bc
-
SHA512
936a617b5fe27e0e65f998c30732b5aea5d11bcfc13f398c6efc526cd37ac21943bb83970ea949f68c0d8a103835671a4be7f86837ec9bbbaddc6b449e44bfe0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3224 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 808 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4528 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3536 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3836 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 372 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3312 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 1728 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 1728 schtasks.exe 90 -
resource yara_rule behavioral2/files/0x000a000000023b71-10.dat dcrat behavioral2/memory/3392-13-0x0000000000E90000-0x0000000000FA0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4128 powershell.exe 3148 powershell.exe 3328 powershell.exe 4952 powershell.exe 1744 powershell.exe 1020 powershell.exe 4500 powershell.exe 4592 powershell.exe 432 powershell.exe 612 powershell.exe 2180 powershell.exe 4752 powershell.exe 1780 powershell.exe 3284 powershell.exe 2220 powershell.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation JaffaCakes118_94ac4eef7e483f211c0a03b6c93d3da6ea7081ebb8551d9fb1da4aeee4dcb2bc.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Executes dropped EXE 16 IoCs
pid Process 3392 DllCommonsvc.exe 2924 fontdrvhost.exe 3428 fontdrvhost.exe 1920 fontdrvhost.exe 628 fontdrvhost.exe 4656 fontdrvhost.exe 1100 fontdrvhost.exe 2472 fontdrvhost.exe 1768 fontdrvhost.exe 4768 fontdrvhost.exe 4828 fontdrvhost.exe 728 fontdrvhost.exe 2168 fontdrvhost.exe 2724 fontdrvhost.exe 3744 fontdrvhost.exe 3492 fontdrvhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
flow ioc 55 raw.githubusercontent.com 56 raw.githubusercontent.com 22 raw.githubusercontent.com 36 raw.githubusercontent.com 43 raw.githubusercontent.com 44 raw.githubusercontent.com 48 raw.githubusercontent.com 21 raw.githubusercontent.com 49 raw.githubusercontent.com 50 raw.githubusercontent.com 27 raw.githubusercontent.com 58 raw.githubusercontent.com 42 raw.githubusercontent.com 57 raw.githubusercontent.com 59 raw.githubusercontent.com -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\56085415360792 DllCommonsvc.exe File created C:\Program Files\dotnet\swidtag\conhost.exe DllCommonsvc.exe File created C:\Program Files\dotnet\swidtag\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\services.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Portable Devices\services.exe DllCommonsvc.exe File created C:\Program Files\WindowsApps\dllhost.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\wininit.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Windows Multimedia Platform\services.exe DllCommonsvc.exe File created C:\Program Files\Windows Multimedia Platform\c5b4cb5e9653cc DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\fr-FR\sihost.exe DllCommonsvc.exe File created C:\Windows\fr-FR\66fc9ff0ee96c2 DllCommonsvc.exe File created C:\Windows\PrintDialog\conhost.exe DllCommonsvc.exe File created C:\Windows\PrintDialog\088424020bedd6 DllCommonsvc.exe File created C:\Windows\CSC\dwm.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_94ac4eef7e483f211c0a03b6c93d3da6ea7081ebb8551d9fb1da4aeee4dcb2bc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings JaffaCakes118_94ac4eef7e483f211c0a03b6c93d3da6ea7081ebb8551d9fb1da4aeee4dcb2bc.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1404 schtasks.exe 1116 schtasks.exe 2892 schtasks.exe 3320 schtasks.exe 3388 schtasks.exe 828 schtasks.exe 1792 schtasks.exe 1452 schtasks.exe 4604 schtasks.exe 1100 schtasks.exe 4628 schtasks.exe 1632 schtasks.exe 1724 schtasks.exe 672 schtasks.exe 1956 schtasks.exe 2668 schtasks.exe 808 schtasks.exe 3012 schtasks.exe 3996 schtasks.exe 1696 schtasks.exe 3224 schtasks.exe 5036 schtasks.exe 2440 schtasks.exe 1500 schtasks.exe 2388 schtasks.exe 1160 schtasks.exe 4116 schtasks.exe 2240 schtasks.exe 1972 schtasks.exe 3836 schtasks.exe 372 schtasks.exe 5068 schtasks.exe 4596 schtasks.exe 2548 schtasks.exe 2348 schtasks.exe 996 schtasks.exe 3312 schtasks.exe 4528 schtasks.exe 3536 schtasks.exe 4920 schtasks.exe 2744 schtasks.exe 692 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3392 DllCommonsvc.exe 3392 DllCommonsvc.exe 3392 DllCommonsvc.exe 612 powershell.exe 612 powershell.exe 4592 powershell.exe 4592 powershell.exe 3148 powershell.exe 3148 powershell.exe 3328 powershell.exe 3328 powershell.exe 432 powershell.exe 432 powershell.exe 4752 powershell.exe 3284 powershell.exe 4752 powershell.exe 3284 powershell.exe 4500 powershell.exe 4500 powershell.exe 612 powershell.exe 4952 powershell.exe 4952 powershell.exe 1744 powershell.exe 1744 powershell.exe 4128 powershell.exe 4128 powershell.exe 2180 powershell.exe 2180 powershell.exe 1780 powershell.exe 1780 powershell.exe 2220 powershell.exe 2220 powershell.exe 2220 powershell.exe 1020 powershell.exe 1020 powershell.exe 4592 powershell.exe 4592 powershell.exe 3148 powershell.exe 3328 powershell.exe 432 powershell.exe 4500 powershell.exe 2180 powershell.exe 3284 powershell.exe 4952 powershell.exe 1780 powershell.exe 1744 powershell.exe 4752 powershell.exe 4128 powershell.exe 1020 powershell.exe 2924 fontdrvhost.exe 3428 fontdrvhost.exe 1920 fontdrvhost.exe 628 fontdrvhost.exe 4656 fontdrvhost.exe 1100 fontdrvhost.exe 2472 fontdrvhost.exe 1768 fontdrvhost.exe 4768 fontdrvhost.exe 4828 fontdrvhost.exe 728 fontdrvhost.exe 2168 fontdrvhost.exe 2724 fontdrvhost.exe 3744 fontdrvhost.exe 3492 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 3392 DllCommonsvc.exe Token: SeDebugPrivilege 612 powershell.exe Token: SeDebugPrivilege 4592 powershell.exe Token: SeDebugPrivilege 3148 powershell.exe Token: SeDebugPrivilege 3328 powershell.exe Token: SeDebugPrivilege 432 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 3284 powershell.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeDebugPrivilege 4752 powershell.exe Token: SeDebugPrivilege 4952 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 4128 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 2924 fontdrvhost.exe Token: SeDebugPrivilege 3428 fontdrvhost.exe Token: SeDebugPrivilege 1920 fontdrvhost.exe Token: SeDebugPrivilege 628 fontdrvhost.exe Token: SeDebugPrivilege 4656 fontdrvhost.exe Token: SeDebugPrivilege 1100 fontdrvhost.exe Token: SeDebugPrivilege 2472 fontdrvhost.exe Token: SeDebugPrivilege 1768 fontdrvhost.exe Token: SeDebugPrivilege 4768 fontdrvhost.exe Token: SeDebugPrivilege 4828 fontdrvhost.exe Token: SeDebugPrivilege 728 fontdrvhost.exe Token: SeDebugPrivilege 2168 fontdrvhost.exe Token: SeDebugPrivilege 2724 fontdrvhost.exe Token: SeDebugPrivilege 3744 fontdrvhost.exe Token: SeDebugPrivilege 3492 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3184 wrote to memory of 2788 3184 JaffaCakes118_94ac4eef7e483f211c0a03b6c93d3da6ea7081ebb8551d9fb1da4aeee4dcb2bc.exe 83 PID 3184 wrote to memory of 2788 3184 JaffaCakes118_94ac4eef7e483f211c0a03b6c93d3da6ea7081ebb8551d9fb1da4aeee4dcb2bc.exe 83 PID 3184 wrote to memory of 2788 3184 JaffaCakes118_94ac4eef7e483f211c0a03b6c93d3da6ea7081ebb8551d9fb1da4aeee4dcb2bc.exe 83 PID 2788 wrote to memory of 4448 2788 WScript.exe 87 PID 2788 wrote to memory of 4448 2788 WScript.exe 87 PID 2788 wrote to memory of 4448 2788 WScript.exe 87 PID 4448 wrote to memory of 3392 4448 cmd.exe 89 PID 4448 wrote to memory of 3392 4448 cmd.exe 89 PID 3392 wrote to memory of 1020 3392 DllCommonsvc.exe 135 PID 3392 wrote to memory of 1020 3392 DllCommonsvc.exe 135 PID 3392 wrote to memory of 2180 3392 DllCommonsvc.exe 136 PID 3392 wrote to memory of 2180 3392 DllCommonsvc.exe 136 PID 3392 wrote to memory of 2220 3392 DllCommonsvc.exe 137 PID 3392 wrote to memory of 2220 3392 DllCommonsvc.exe 137 PID 3392 wrote to memory of 4128 3392 DllCommonsvc.exe 138 PID 3392 wrote to memory of 4128 3392 DllCommonsvc.exe 138 PID 3392 wrote to memory of 4752 3392 DllCommonsvc.exe 139 PID 3392 wrote to memory of 4752 3392 DllCommonsvc.exe 139 PID 3392 wrote to memory of 1780 3392 DllCommonsvc.exe 140 PID 3392 wrote to memory of 1780 3392 DllCommonsvc.exe 140 PID 3392 wrote to memory of 4500 3392 DllCommonsvc.exe 141 PID 3392 wrote to memory of 4500 3392 DllCommonsvc.exe 141 PID 3392 wrote to memory of 3148 3392 DllCommonsvc.exe 142 PID 3392 wrote to memory of 3148 3392 DllCommonsvc.exe 142 PID 3392 wrote to memory of 3328 3392 DllCommonsvc.exe 143 PID 3392 wrote to memory of 3328 3392 DllCommonsvc.exe 143 PID 3392 wrote to memory of 4952 3392 DllCommonsvc.exe 144 PID 3392 wrote to memory of 4952 3392 DllCommonsvc.exe 144 PID 3392 wrote to memory of 4592 3392 DllCommonsvc.exe 145 PID 3392 wrote to memory of 4592 3392 DllCommonsvc.exe 145 PID 3392 wrote to memory of 432 3392 DllCommonsvc.exe 146 PID 3392 wrote to memory of 432 3392 DllCommonsvc.exe 146 PID 3392 wrote to memory of 612 3392 DllCommonsvc.exe 147 PID 3392 wrote to memory of 612 3392 DllCommonsvc.exe 147 PID 3392 wrote to memory of 1744 3392 DllCommonsvc.exe 148 PID 3392 wrote to memory of 1744 3392 DllCommonsvc.exe 148 PID 3392 wrote to memory of 3284 3392 DllCommonsvc.exe 149 PID 3392 wrote to memory of 3284 3392 DllCommonsvc.exe 149 PID 3392 wrote to memory of 4828 3392 DllCommonsvc.exe 164 PID 3392 wrote to memory of 4828 3392 DllCommonsvc.exe 164 PID 4828 wrote to memory of 3732 4828 cmd.exe 167 PID 4828 wrote to memory of 3732 4828 cmd.exe 167 PID 4828 wrote to memory of 2924 4828 cmd.exe 174 PID 4828 wrote to memory of 2924 4828 cmd.exe 174 PID 2924 wrote to memory of 2456 2924 fontdrvhost.exe 177 PID 2924 wrote to memory of 2456 2924 fontdrvhost.exe 177 PID 2456 wrote to memory of 2384 2456 cmd.exe 179 PID 2456 wrote to memory of 2384 2456 cmd.exe 179 PID 2456 wrote to memory of 3428 2456 cmd.exe 181 PID 2456 wrote to memory of 3428 2456 cmd.exe 181 PID 3428 wrote to memory of 1660 3428 fontdrvhost.exe 183 PID 3428 wrote to memory of 1660 3428 fontdrvhost.exe 183 PID 1660 wrote to memory of 1884 1660 cmd.exe 185 PID 1660 wrote to memory of 1884 1660 cmd.exe 185 PID 1660 wrote to memory of 1920 1660 cmd.exe 187 PID 1660 wrote to memory of 1920 1660 cmd.exe 187 PID 1920 wrote to memory of 3500 1920 fontdrvhost.exe 191 PID 1920 wrote to memory of 3500 1920 fontdrvhost.exe 191 PID 3500 wrote to memory of 588 3500 cmd.exe 193 PID 3500 wrote to memory of 588 3500 cmd.exe 193 PID 3500 wrote to memory of 628 3500 cmd.exe 196 PID 3500 wrote to memory of 628 3500 cmd.exe 196 PID 628 wrote to memory of 2876 628 fontdrvhost.exe 198 PID 628 wrote to memory of 2876 628 fontdrvhost.exe 198 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94ac4eef7e483f211c0a03b6c93d3da6ea7081ebb8551d9fb1da4aeee4dcb2bc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94ac4eef7e483f211c0a03b6c93d3da6ea7081ebb8551d9fb1da4aeee4dcb2bc.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\swidtag\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\WaaSMedicAgent.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5QnZE7U5I.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3732
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NiQtqM3qVs.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2384
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1884
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:588
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"13⤵PID:2876
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2604
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"15⤵PID:4404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1892
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"17⤵PID:2676
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2456
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"19⤵PID:1660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:3752
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"21⤵PID:2696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:4356
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"23⤵PID:4944
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1876
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"25⤵PID:4588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1452
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"27⤵PID:4956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:312
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"29⤵PID:3776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:4208
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"31⤵PID:4756
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:2320
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"33⤵PID:1516
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:234⤵PID:1972
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe"34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\fr-FR\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\PrintDialog\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\PrintDialog\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\swidtag\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\swidtag\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Public\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Users\Public\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
246B
MD55b873764d3df1e6d258c3595418843a6
SHA10d85a1438935d38f2a9c2eb642a3f5d9abfd199b
SHA256bf2f8e2d77c960f25bb833baba27a029615c4c9ee99a93b113f2cdc64374a0fd
SHA512171ec596e1863bcb0f809f80f6c4cb30d8bc764174ecc8e6dd613fd74498c7eb74743f279e6d820c85ac7ae8a8473d460f1be4e644b5e01cabe795635de6f8cd
-
Filesize
246B
MD583a9fec4ae688c8ec45d7cc417e538e7
SHA15be5e61b99c39133058f2d398ac87dfaa4191236
SHA2566e1a15467166c807afbe7606e25b394f8012f33c49e983212dda5718557237c2
SHA51253b06aa478b16647c2af6bdd894e88c4890df4296ac794f6322651f9f7e0617929a89136e3595bf1b03e583d2cb3358fa4c192666df134e33e17e91114ef0194
-
Filesize
246B
MD59651242318483b17e1b22cc1b756c4c5
SHA15610e91591f72621d70bbaa31e187b3925acb969
SHA256d2abd2a2ff02bb3b369a8f0a8339c4f204f68a17bd953667b0fe3af487829957
SHA512cb7df23588a0489dce69e09dfbeef8668c1d0afe802135943a1f8fb58535a07819993fd7dfc4abb9d46d289d751671ae5f7b8ae25e33e08db9e81dafcd21deb9
-
Filesize
246B
MD55d9cae7614decd3dfc10a793d547d74d
SHA15be59af5ccd3b236b9c0bae3fca47d3e80156733
SHA2564af87b03b3ce6141bcb9568bd7bc5e7a64314fab70cc3d10f762147381d31284
SHA5128d08d22842a8b4e0a660b8946b801143e64c66047921d525bb0134c06e6bd7cd15f3679d5fc9c75705cbcc791d699c70222f3c3bfd02a4fe58e1afe5295aa52c
-
Filesize
246B
MD57f1ecac339ac9a5603549c80a908ad71
SHA108d109d859e39ca8dd35e0dea00fdb970b73b991
SHA256354fd88670bb4f8cd90855ffc93cb232a6ddcbc534649c21688b0a2fb563a97f
SHA512c4341f17995f0c5646fa9fb4f00c53f67ee17b5685de6c42bdd8cc645b04324a243b4aabb7448ae1e8aba76a234efd098dc52f6ca29478bd5710ae766eada78d
-
Filesize
246B
MD5b007a7122bc695a7eaea2abfb7675977
SHA1b37b8aac5232f1d9217f1a6aef37616ca02395d0
SHA25665fab1baa6d0b783719fb29de8eb5964a4036cd1d65dcb956af7e28ecc840ada
SHA512ba0ba7f0f8520aa0cc924594ab77ee9158138e1fa74188cd298dcf379fe81820c2d54d2802531f37ff8fa03d2a0c3650e9652d8e69df840d4601aff5df2b837b
-
Filesize
246B
MD56c60d935559b2ed5fc27e1d199be4f1c
SHA12a4a5aac3eb08f45f1d333d1783a629f2bf24b53
SHA256aeb5236b500f933da104e240f1d9af026ed7623afbd83b98f4c1d5f2f05f1755
SHA512b6ee0b9ee53782dfe9148cda536b54b5f6cd8498a92d63adbd587d40845cd3c153c05ce4491810b9d75f091825303fe028592e886dafa73c288432883c624095
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
246B
MD50c752f29918d7c5a8531cc0ebe0421c4
SHA18fefa3ffb31b7b42a55c72755ef4b20835f6cd01
SHA256f1170a0c6511fd0ab3e3bcd2ffc08ce17138c450e0e85493b7b72aed3f538e7f
SHA512e161e79dcf63b807248e83bc1993654015da784071abf1ce85cf88cf9951ab0b4012f8297c3e6e0b7f3c8846ff7fd7b8a619c1fbb3e6711ace735879a3cc0e54
-
Filesize
246B
MD58ad66d4306ba293aedc46ebda5bf0cd1
SHA15d6a78658a1057c4e70f273161848d4009bb502a
SHA2564e2cfd8bce446c0cb8e6b3b52e311b9b296f585909df7d5f99fa2586667d10e1
SHA512ab22519b6e133a2edbdac17b7517a9318ff386633791410fadd94c9ea73fd3ec38baefba8209c0301fe414c769c9bc7d2057976c8b4c1f168c3c3377f5cda829
-
Filesize
246B
MD5c5170d8dd2e0fa02ddd0fd0ef762a071
SHA1b53fc466fd6841e39f82b20761e44470d0741607
SHA256870b0ea228499af8a6d1c1fdd5fc5f0e19e6d526ad6dfbeec1ea1a4b3752cd66
SHA512d1f602e75a60ce6a958d90a7b3e085124ac8a68c409045f81090ea79ed88b89aa107b8eff44550627cf725d3809777e27485e05e11a515bcfe89b777beafa02e
-
Filesize
246B
MD546d34f82601c89b36d76e38102183c00
SHA14c454074e4e9638cef148e5bb187a2d6af394f85
SHA256b05d474650ba16e3527989bacfb719eec788907ada9760d977dbf757efd78dc5
SHA512b8802ae5d0fb203ea33616f6bb281d504030ff2d0320b868e65dbc7ec9f7176e946709ea0ab6f7a3e28f5c346ed066e9e6980c6e1ceb69f3ae22f2289f7b1868
-
Filesize
246B
MD52a1e38d95c6de7c621822a21df6ff200
SHA1846b6cbc5151ea910fdda0e48705b6ab251ed39d
SHA256ea50e3ea8a029326288a313ac9b74fd0c036bf1d12240f6272578489635a0c5c
SHA51269e0ff22b53254e9ce4d65d1abc58699e0035f2a079bd7056b67b7637414ff99fd1300e08088ff9797e656a5621f33e59c088f011ab2e8499b9be2319ff4bf35
-
Filesize
246B
MD5b4e5c03248848e0c13321328982b1af5
SHA14c96b3f8f333f5434b21351396cc64f41979b72a
SHA2565da956e72b65e1c0242b4083c1dfc1e8ee36457a2879f65e0561aa93065969ab
SHA512b0070900d435f41f2ab6942193f09156cc53e6648843930cc265ac3979c54f0f42afdd06c3e679b8a037680898e0800ab12ebb3ee204fcc8e738f78da49edd95
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478