Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 01:53
Behavioral task
behavioral1
Sample
JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe
-
Size
1.3MB
-
MD5
e67ebb81ae669b773824e66ceae84b8c
-
SHA1
9c91ca4729083c674e9d439977ee3647c9333b14
-
SHA256
dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc
-
SHA512
588abb3d4f228994af827a20038b5a98ebfed45abb38069e2e514ef61a1e7ed4045515da7212df721ffe3d7d1dcb6a66f630be9c8b3b1ddcacda4d331219f8c0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4204 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4120 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4172 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 1088 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 1088 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x000a000000023b67-10.dat dcrat behavioral2/memory/5100-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 456 powershell.exe 3764 powershell.exe 2272 powershell.exe 2536 powershell.exe 4356 powershell.exe 1612 powershell.exe 2676 powershell.exe 4748 powershell.exe 4740 powershell.exe 2364 powershell.exe 4108 powershell.exe 3284 powershell.exe 4736 powershell.exe 4212 powershell.exe 1812 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Executes dropped EXE 13 IoCs
pid Process 5100 DllCommonsvc.exe 4468 fontdrvhost.exe 2600 fontdrvhost.exe 3660 fontdrvhost.exe 4568 fontdrvhost.exe 3764 fontdrvhost.exe 3648 fontdrvhost.exe 4672 fontdrvhost.exe 2636 fontdrvhost.exe 4612 fontdrvhost.exe 1288 fontdrvhost.exe 4484 fontdrvhost.exe 3448 fontdrvhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 39 raw.githubusercontent.com 43 raw.githubusercontent.com 52 raw.githubusercontent.com 21 raw.githubusercontent.com 37 raw.githubusercontent.com 44 raw.githubusercontent.com 48 raw.githubusercontent.com 49 raw.githubusercontent.com 50 raw.githubusercontent.com 51 raw.githubusercontent.com 22 raw.githubusercontent.com 40 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\Windows NT\TableTextService\en-US\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\Windows Defender\fr-FR\conhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\fr-FR\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\en-US\services.exe DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Branding\shellbrd\sppsvc.exe DllCommonsvc.exe File opened for modification C:\Windows\Branding\shellbrd\sppsvc.exe DllCommonsvc.exe File created C:\Windows\Branding\shellbrd\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Windows\IdentityCRL\production\dllhost.exe DllCommonsvc.exe File created C:\Windows\IdentityCRL\production\5940a34987c991 DllCommonsvc.exe File created C:\Windows\Microsoft.NET\Framework\v1.0.3705\RuntimeBroker.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\Framework\v1.0.3705\9e8d7a4ca61bd9 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5072 schtasks.exe 1964 schtasks.exe 2604 schtasks.exe 1816 schtasks.exe 760 schtasks.exe 4204 schtasks.exe 2320 schtasks.exe 952 schtasks.exe 1728 schtasks.exe 1632 schtasks.exe 2196 schtasks.exe 2340 schtasks.exe 3016 schtasks.exe 2876 schtasks.exe 2788 schtasks.exe 1264 schtasks.exe 1476 schtasks.exe 1756 schtasks.exe 2600 schtasks.exe 3360 schtasks.exe 3432 schtasks.exe 4120 schtasks.exe 2324 schtasks.exe 764 schtasks.exe 5044 schtasks.exe 932 schtasks.exe 2552 schtasks.exe 2124 schtasks.exe 4380 schtasks.exe 1976 schtasks.exe 2176 schtasks.exe 2964 schtasks.exe 4620 schtasks.exe 220 schtasks.exe 3372 schtasks.exe 4744 schtasks.exe 1792 schtasks.exe 4516 schtasks.exe 776 schtasks.exe 2556 schtasks.exe 4172 schtasks.exe 4008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5100 DllCommonsvc.exe 5100 DllCommonsvc.exe 5100 DllCommonsvc.exe 5100 DllCommonsvc.exe 5100 DllCommonsvc.exe 5100 DllCommonsvc.exe 5100 DllCommonsvc.exe 5100 DllCommonsvc.exe 5100 DllCommonsvc.exe 5100 DllCommonsvc.exe 5100 DllCommonsvc.exe 5100 DllCommonsvc.exe 5100 DllCommonsvc.exe 4212 powershell.exe 4212 powershell.exe 4748 powershell.exe 4748 powershell.exe 2272 powershell.exe 2272 powershell.exe 4740 powershell.exe 4740 powershell.exe 456 powershell.exe 456 powershell.exe 2536 powershell.exe 2536 powershell.exe 1612 powershell.exe 1612 powershell.exe 4736 powershell.exe 4736 powershell.exe 4356 powershell.exe 4356 powershell.exe 2676 powershell.exe 2676 powershell.exe 4108 powershell.exe 4108 powershell.exe 3764 powershell.exe 3764 powershell.exe 2364 powershell.exe 2364 powershell.exe 3284 powershell.exe 3284 powershell.exe 1812 powershell.exe 1812 powershell.exe 2364 powershell.exe 3284 powershell.exe 4748 powershell.exe 2272 powershell.exe 2536 powershell.exe 4736 powershell.exe 4212 powershell.exe 4212 powershell.exe 4740 powershell.exe 1612 powershell.exe 4356 powershell.exe 2676 powershell.exe 4108 powershell.exe 456 powershell.exe 3764 powershell.exe 1812 powershell.exe 4468 fontdrvhost.exe 2600 fontdrvhost.exe 3660 fontdrvhost.exe 4568 fontdrvhost.exe 3764 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 5100 DllCommonsvc.exe Token: SeDebugPrivilege 4212 powershell.exe Token: SeDebugPrivilege 4748 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 4740 powershell.exe Token: SeDebugPrivilege 456 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 4356 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 4108 powershell.exe Token: SeDebugPrivilege 3764 powershell.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 3284 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 4468 fontdrvhost.exe Token: SeDebugPrivilege 2600 fontdrvhost.exe Token: SeDebugPrivilege 3660 fontdrvhost.exe Token: SeDebugPrivilege 4568 fontdrvhost.exe Token: SeDebugPrivilege 3764 fontdrvhost.exe Token: SeDebugPrivilege 3648 fontdrvhost.exe Token: SeDebugPrivilege 4672 fontdrvhost.exe Token: SeDebugPrivilege 2636 fontdrvhost.exe Token: SeDebugPrivilege 4612 fontdrvhost.exe Token: SeDebugPrivilege 1288 fontdrvhost.exe Token: SeDebugPrivilege 4484 fontdrvhost.exe Token: SeDebugPrivilege 3448 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 1080 2064 JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe 82 PID 2064 wrote to memory of 1080 2064 JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe 82 PID 2064 wrote to memory of 1080 2064 JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe 82 PID 1080 wrote to memory of 1620 1080 WScript.exe 85 PID 1080 wrote to memory of 1620 1080 WScript.exe 85 PID 1080 wrote to memory of 1620 1080 WScript.exe 85 PID 1620 wrote to memory of 5100 1620 cmd.exe 87 PID 1620 wrote to memory of 5100 1620 cmd.exe 87 PID 5100 wrote to memory of 1812 5100 DllCommonsvc.exe 132 PID 5100 wrote to memory of 1812 5100 DllCommonsvc.exe 132 PID 5100 wrote to memory of 2676 5100 DllCommonsvc.exe 133 PID 5100 wrote to memory of 2676 5100 DllCommonsvc.exe 133 PID 5100 wrote to memory of 3284 5100 DllCommonsvc.exe 134 PID 5100 wrote to memory of 3284 5100 DllCommonsvc.exe 134 PID 5100 wrote to memory of 4748 5100 DllCommonsvc.exe 135 PID 5100 wrote to memory of 4748 5100 DllCommonsvc.exe 135 PID 5100 wrote to memory of 4740 5100 DllCommonsvc.exe 136 PID 5100 wrote to memory of 4740 5100 DllCommonsvc.exe 136 PID 5100 wrote to memory of 3764 5100 DllCommonsvc.exe 137 PID 5100 wrote to memory of 3764 5100 DllCommonsvc.exe 137 PID 5100 wrote to memory of 4736 5100 DllCommonsvc.exe 138 PID 5100 wrote to memory of 4736 5100 DllCommonsvc.exe 138 PID 5100 wrote to memory of 456 5100 DllCommonsvc.exe 139 PID 5100 wrote to memory of 456 5100 DllCommonsvc.exe 139 PID 5100 wrote to memory of 4212 5100 DllCommonsvc.exe 140 PID 5100 wrote to memory of 4212 5100 DllCommonsvc.exe 140 PID 5100 wrote to memory of 2272 5100 DllCommonsvc.exe 141 PID 5100 wrote to memory of 2272 5100 DllCommonsvc.exe 141 PID 5100 wrote to memory of 2536 5100 DllCommonsvc.exe 142 PID 5100 wrote to memory of 2536 5100 DllCommonsvc.exe 142 PID 5100 wrote to memory of 2364 5100 DllCommonsvc.exe 143 PID 5100 wrote to memory of 2364 5100 DllCommonsvc.exe 143 PID 5100 wrote to memory of 4356 5100 DllCommonsvc.exe 144 PID 5100 wrote to memory of 4356 5100 DllCommonsvc.exe 144 PID 5100 wrote to memory of 4108 5100 DllCommonsvc.exe 145 PID 5100 wrote to memory of 4108 5100 DllCommonsvc.exe 145 PID 5100 wrote to memory of 1612 5100 DllCommonsvc.exe 146 PID 5100 wrote to memory of 1612 5100 DllCommonsvc.exe 146 PID 5100 wrote to memory of 2936 5100 DllCommonsvc.exe 162 PID 5100 wrote to memory of 2936 5100 DllCommonsvc.exe 162 PID 2936 wrote to memory of 4008 2936 cmd.exe 164 PID 2936 wrote to memory of 4008 2936 cmd.exe 164 PID 2936 wrote to memory of 4468 2936 cmd.exe 168 PID 2936 wrote to memory of 4468 2936 cmd.exe 168 PID 4468 wrote to memory of 3768 4468 fontdrvhost.exe 169 PID 4468 wrote to memory of 3768 4468 fontdrvhost.exe 169 PID 3768 wrote to memory of 4500 3768 cmd.exe 171 PID 3768 wrote to memory of 4500 3768 cmd.exe 171 PID 3768 wrote to memory of 2600 3768 cmd.exe 172 PID 3768 wrote to memory of 2600 3768 cmd.exe 172 PID 2600 wrote to memory of 3372 2600 fontdrvhost.exe 175 PID 2600 wrote to memory of 3372 2600 fontdrvhost.exe 175 PID 3372 wrote to memory of 2084 3372 cmd.exe 177 PID 3372 wrote to memory of 2084 3372 cmd.exe 177 PID 3372 wrote to memory of 3660 3372 cmd.exe 178 PID 3372 wrote to memory of 3660 3372 cmd.exe 178 PID 3660 wrote to memory of 3712 3660 fontdrvhost.exe 179 PID 3660 wrote to memory of 3712 3660 fontdrvhost.exe 179 PID 3712 wrote to memory of 3236 3712 cmd.exe 181 PID 3712 wrote to memory of 3236 3712 cmd.exe 181 PID 3712 wrote to memory of 4568 3712 cmd.exe 182 PID 3712 wrote to memory of 4568 3712 cmd.exe 182 PID 4568 wrote to memory of 3664 4568 fontdrvhost.exe 183 PID 4568 wrote to memory of 3664 4568 fontdrvhost.exe 183 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\shellbrd\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\production\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v1.0.3705\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fVQSdb07E7.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4008
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4500
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2084
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3236
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"13⤵PID:3664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:3532
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"15⤵PID:2888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3704
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"17⤵PID:1420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:4444
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat"19⤵PID:4956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:4240
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"21⤵PID:3584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:3004
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"23⤵PID:2912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3696
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"25⤵PID:4568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2860
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4484 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"27⤵PID:2320
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:5088
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\shellbrd\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\shellbrd\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\IdentityCRL\production\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\production\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\Links\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework\v1.0.3705\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\v1.0.3705\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework\v1.0.3705\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\providercommon\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\providercommon\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
198B
MD5167c8e0e48106dec775f6ae7245cb2b4
SHA1ed02f9def69162e255d7e1700eac216c9988756a
SHA25658b3c55ac348e99e4bf79bbf096f862f26f9aefc67705e01302b7f91c8eb1912
SHA5120b5fb67178b94ea3910a036d96645e37da1e1f0fa6a17e601e7f08418231bdc84e9b973cc38b05770add6056e9bce98f4bc202d0548295f3ac9ec9b2b29fff81
-
Filesize
198B
MD5939feb7217a187e4addef525a18ee59c
SHA1935fefdc4dbc05c304903b4991d186c67076f125
SHA2566850d58a6d37ee0b19f84755cb5bf7e1cf134904705a649457825e20282c32f5
SHA51202ca91a2e613ae05316b3860cf6b63271d8fdbaa9d981a874b2f77aafc61743a9942881fd61a4a06e0c24874736788de5183c3b71dfbc886f80c57f3824621df
-
Filesize
198B
MD5a4493399419cbe3ac54393ea2d73cb9e
SHA15a6b5197420aa895c1f4551682ae215e2e2928df
SHA25673fd92b26d5ed61e7edb6f9a89c4479b4931c9e9fdb9eae101ce0149d34143ad
SHA512d2fa0c37b80099b0bbb3dedcc87c375f2973ccbce6b561d311a139f67a421e828894709273ae8f365692aacfd3543dba18d1c9ed00cf92347f564be2f31677ec
-
Filesize
198B
MD5dde0dc21be3d69ac187c179fded9d054
SHA19d1d88d7cca3c3e3bfb1aeac180e984b30e52818
SHA25667d02b7f71a7fd8a7ebf14d38950a898e376d0db8dd38b3cc43dc7d85e02cb58
SHA5128cc5bd34caca5c2bb752c2c54a125a751af089bd96f59b6127afb85c23ac6dc1bfedb525264ee3a697e0a42f5b4b75ec669e476f0346bd3a72978d73a975bc19
-
Filesize
198B
MD5edf871ecb3fbc466cd604dff30d31140
SHA1c2027c3578b18f510ac80dd7e55a8d8b53cf0d71
SHA2569f8bbbc2c94b20f1ca3f44ff77940e2a6fd7489b9952e3a8634c607019fcd962
SHA5125919d816a83a78e135017c286adb42651fcc56e89f5324d806e1b14e4ac02796e7bb457b0dbc1f70533c34ac160a3cb8d78cbce781b538133101e644f80c0fab
-
Filesize
198B
MD52b19c7c108d72060d83edb5aaa92528c
SHA1de71565a9d14bd3cc9f910a8a392e0a43ad88434
SHA25643039b68e3e0152b05b2e0bbaaf9aabb064cb52111145ff96f8559868792c0d4
SHA512463ef639ea6e628e169c0c11de8a7ce267ae919de5bdbc4dc65c94df2cabd2020a2f6dc38e89a00be5792b6efdd2e42c5768968514f96604b3729dc9328cdb57
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
198B
MD5434f7ee0355bcd9276949cd2b8dc92fb
SHA15fb021e54bd01c536d188e718587d737cef3c159
SHA2569992da4de165d4f02d9bfd9bb8c65f3e081354dbf7d93a93f4a949a8cf1b506a
SHA5127c18b338ca3ae7c545003e98a4f9f1005c40735b09c1fedefe7b5d52a7ef52cdb55271c91e98ed603acd9a30829cc9b0df1fe1b9e0ac9420348deab7c1c20a39
-
Filesize
198B
MD5eeff88ea354ccea0143a88f40a1d6a54
SHA17da11af730afa9833f800bbfa198fdae0404e4c7
SHA256312877aefe7d6a23339d2f4dc73afaa94d6a1fda9f3d3a3eb8d6a7b62f36312e
SHA5122c178a65f5f3b61e8c2c09d4bff99c4d6c48b4a3738e9518d8d7daa597f15fd658f64a83eeda1b9c51c750c975c56b598353ac91e5d38d07a9ec03fb9c1e664f
-
Filesize
198B
MD5483164d09432c3e01334e75ad612b5d6
SHA1cb6202315265f69ded0bea40a7b67555f7cc260f
SHA256e6c974bb8e3e240b410e254dc7c49d5ff725bcf70594a49e37efdcaff46e2c48
SHA512fa8b7a964578fc87badaf730b2983d2b89a727c3e3a10139057bfe7ac91295bdd1d05cfcf63187a598f9662ff4eebe222356546e89f81f13652e1e84cd4a9b23
-
Filesize
198B
MD58319fcef1099cab499042121376709fc
SHA146e44b2e1bccd56037574259ce8674b9192dd894
SHA256de9274341f9201d83044d9a49d5b33a274a6823428e9cb633f52f2433e5d53e1
SHA512b19bcc8205d82063492c89b269f3e41f9a85d33082a0f72f0ee6c618fa5654301ad6cebf868603cc5a8765e2f51d27567fc125af05b38907d27b3b94c354302d
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478