Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 01:56
Behavioral task
behavioral1
Sample
JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe
-
Size
1.3MB
-
MD5
b9f158cdb090e31654547f8c954c96ff
-
SHA1
dccaf2a828ce17f06ad7b06f00bc8dcf6eb4e07f
-
SHA256
70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f
-
SHA512
5e351b13e61ea84466f78d7d0ed5a8b0133dcada471c84c31a294151f5604cf9c323be0b712814107b08f21d042f69f0786439479add1893cfbc1b70f1c6d431
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3928 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3264 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3632 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3880 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4572 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3404 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4624 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4160 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 816 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 3624 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5064 3624 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0008000000023bee-10.dat dcrat behavioral2/memory/32-13-0x0000000000BD0000-0x0000000000CE0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1376 powershell.exe 884 powershell.exe 1084 powershell.exe 5096 powershell.exe 2388 powershell.exe 4144 powershell.exe 1564 powershell.exe 2108 powershell.exe 3364 powershell.exe 3384 powershell.exe 4564 powershell.exe 3936 powershell.exe 4284 powershell.exe 2760 powershell.exe 3188 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation upfc.exe -
Executes dropped EXE 15 IoCs
pid Process 32 DllCommonsvc.exe 3580 upfc.exe 2972 upfc.exe 4192 upfc.exe 2024 upfc.exe 4000 upfc.exe 4596 upfc.exe 1452 upfc.exe 540 upfc.exe 964 upfc.exe 1380 upfc.exe 2108 upfc.exe 3216 upfc.exe 2084 upfc.exe 4576 upfc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 35 raw.githubusercontent.com 41 raw.githubusercontent.com 49 raw.githubusercontent.com 36 raw.githubusercontent.com 37 raw.githubusercontent.com 40 raw.githubusercontent.com 50 raw.githubusercontent.com 51 raw.githubusercontent.com 52 raw.githubusercontent.com 21 raw.githubusercontent.com 42 raw.githubusercontent.com 13 raw.githubusercontent.com 14 raw.githubusercontent.com 48 raw.githubusercontent.com -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\ja-JP\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\e1ef82546f0b02 DllCommonsvc.exe File created C:\Program Files\Crashpad\attachments\fontdrvhost.exe DllCommonsvc.exe File opened for modification C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\55b276f4edf653 DllCommonsvc.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\SppExtComObj.exe DllCommonsvc.exe File created C:\Program Files\Crashpad\attachments\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\dllhost.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Internet Explorer\ja-JP\smss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings upfc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4116 schtasks.exe 1860 schtasks.exe 208 schtasks.exe 4160 schtasks.exe 3928 schtasks.exe 2756 schtasks.exe 3632 schtasks.exe 1648 schtasks.exe 4448 schtasks.exe 5092 schtasks.exe 2356 schtasks.exe 3596 schtasks.exe 2152 schtasks.exe 3664 schtasks.exe 4960 schtasks.exe 4864 schtasks.exe 464 schtasks.exe 2200 schtasks.exe 5064 schtasks.exe 1452 schtasks.exe 816 schtasks.exe 2372 schtasks.exe 3404 schtasks.exe 4624 schtasks.exe 592 schtasks.exe 4536 schtasks.exe 2176 schtasks.exe 2196 schtasks.exe 552 schtasks.exe 4460 schtasks.exe 5004 schtasks.exe 3736 schtasks.exe 2972 schtasks.exe 3880 schtasks.exe 4572 schtasks.exe 4496 schtasks.exe 4076 schtasks.exe 3264 schtasks.exe 2532 schtasks.exe 1780 schtasks.exe 4364 schtasks.exe 3420 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 32 DllCommonsvc.exe 32 DllCommonsvc.exe 32 DllCommonsvc.exe 2760 powershell.exe 2760 powershell.exe 2108 powershell.exe 2108 powershell.exe 1084 powershell.exe 1084 powershell.exe 3188 powershell.exe 3188 powershell.exe 5096 powershell.exe 5096 powershell.exe 1564 powershell.exe 1564 powershell.exe 4564 powershell.exe 4564 powershell.exe 2388 powershell.exe 2388 powershell.exe 3364 powershell.exe 3364 powershell.exe 4284 powershell.exe 4284 powershell.exe 884 powershell.exe 884 powershell.exe 4144 powershell.exe 4144 powershell.exe 3384 powershell.exe 3384 powershell.exe 3936 powershell.exe 3936 powershell.exe 1376 powershell.exe 1376 powershell.exe 3580 upfc.exe 3580 upfc.exe 1084 powershell.exe 3188 powershell.exe 2760 powershell.exe 5096 powershell.exe 2108 powershell.exe 3364 powershell.exe 1564 powershell.exe 4564 powershell.exe 3936 powershell.exe 2388 powershell.exe 3384 powershell.exe 4284 powershell.exe 884 powershell.exe 4144 powershell.exe 1376 powershell.exe 2972 upfc.exe 4192 upfc.exe 2024 upfc.exe 4000 upfc.exe 4596 upfc.exe 1452 upfc.exe 540 upfc.exe 964 upfc.exe 1380 upfc.exe 2108 upfc.exe 3216 upfc.exe 2084 upfc.exe 4576 upfc.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 32 DllCommonsvc.exe Token: SeDebugPrivilege 5096 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 3188 powershell.exe Token: SeDebugPrivilege 4564 powershell.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 3364 powershell.exe Token: SeDebugPrivilege 3936 powershell.exe Token: SeDebugPrivilege 3580 upfc.exe Token: SeDebugPrivilege 884 powershell.exe Token: SeDebugPrivilege 4284 powershell.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeDebugPrivilege 3384 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 2972 upfc.exe Token: SeDebugPrivilege 4192 upfc.exe Token: SeDebugPrivilege 2024 upfc.exe Token: SeDebugPrivilege 4000 upfc.exe Token: SeDebugPrivilege 4596 upfc.exe Token: SeDebugPrivilege 1452 upfc.exe Token: SeDebugPrivilege 540 upfc.exe Token: SeDebugPrivilege 964 upfc.exe Token: SeDebugPrivilege 1380 upfc.exe Token: SeDebugPrivilege 2108 upfc.exe Token: SeDebugPrivilege 3216 upfc.exe Token: SeDebugPrivilege 2084 upfc.exe Token: SeDebugPrivilege 4576 upfc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1184 wrote to memory of 4540 1184 JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe 83 PID 1184 wrote to memory of 4540 1184 JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe 83 PID 1184 wrote to memory of 4540 1184 JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe 83 PID 4540 wrote to memory of 2496 4540 WScript.exe 85 PID 4540 wrote to memory of 2496 4540 WScript.exe 85 PID 4540 wrote to memory of 2496 4540 WScript.exe 85 PID 2496 wrote to memory of 32 2496 cmd.exe 87 PID 2496 wrote to memory of 32 2496 cmd.exe 87 PID 32 wrote to memory of 1376 32 DllCommonsvc.exe 132 PID 32 wrote to memory of 1376 32 DllCommonsvc.exe 132 PID 32 wrote to memory of 3188 32 DllCommonsvc.exe 133 PID 32 wrote to memory of 3188 32 DllCommonsvc.exe 133 PID 32 wrote to memory of 1084 32 DllCommonsvc.exe 134 PID 32 wrote to memory of 1084 32 DllCommonsvc.exe 134 PID 32 wrote to memory of 884 32 DllCommonsvc.exe 135 PID 32 wrote to memory of 884 32 DllCommonsvc.exe 135 PID 32 wrote to memory of 2760 32 DllCommonsvc.exe 137 PID 32 wrote to memory of 2760 32 DllCommonsvc.exe 137 PID 32 wrote to memory of 5096 32 DllCommonsvc.exe 138 PID 32 wrote to memory of 5096 32 DllCommonsvc.exe 138 PID 32 wrote to memory of 2108 32 DllCommonsvc.exe 139 PID 32 wrote to memory of 2108 32 DllCommonsvc.exe 139 PID 32 wrote to memory of 1564 32 DllCommonsvc.exe 140 PID 32 wrote to memory of 1564 32 DllCommonsvc.exe 140 PID 32 wrote to memory of 4284 32 DllCommonsvc.exe 141 PID 32 wrote to memory of 4284 32 DllCommonsvc.exe 141 PID 32 wrote to memory of 4144 32 DllCommonsvc.exe 142 PID 32 wrote to memory of 4144 32 DllCommonsvc.exe 142 PID 32 wrote to memory of 2388 32 DllCommonsvc.exe 143 PID 32 wrote to memory of 2388 32 DllCommonsvc.exe 143 PID 32 wrote to memory of 3384 32 DllCommonsvc.exe 144 PID 32 wrote to memory of 3384 32 DllCommonsvc.exe 144 PID 32 wrote to memory of 3936 32 DllCommonsvc.exe 145 PID 32 wrote to memory of 3936 32 DllCommonsvc.exe 145 PID 32 wrote to memory of 3364 32 DllCommonsvc.exe 146 PID 32 wrote to memory of 3364 32 DllCommonsvc.exe 146 PID 32 wrote to memory of 4564 32 DllCommonsvc.exe 147 PID 32 wrote to memory of 4564 32 DllCommonsvc.exe 147 PID 32 wrote to memory of 3580 32 DllCommonsvc.exe 161 PID 32 wrote to memory of 3580 32 DllCommonsvc.exe 161 PID 3580 wrote to memory of 2356 3580 upfc.exe 171 PID 3580 wrote to memory of 2356 3580 upfc.exe 171 PID 2356 wrote to memory of 552 2356 cmd.exe 173 PID 2356 wrote to memory of 552 2356 cmd.exe 173 PID 2356 wrote to memory of 2972 2356 cmd.exe 179 PID 2356 wrote to memory of 2972 2356 cmd.exe 179 PID 2972 wrote to memory of 912 2972 upfc.exe 181 PID 2972 wrote to memory of 912 2972 upfc.exe 181 PID 912 wrote to memory of 4100 912 cmd.exe 183 PID 912 wrote to memory of 4100 912 cmd.exe 183 PID 912 wrote to memory of 4192 912 cmd.exe 187 PID 912 wrote to memory of 4192 912 cmd.exe 187 PID 4192 wrote to memory of 3356 4192 upfc.exe 190 PID 4192 wrote to memory of 3356 4192 upfc.exe 190 PID 3356 wrote to memory of 4636 3356 cmd.exe 192 PID 3356 wrote to memory of 4636 3356 cmd.exe 192 PID 3356 wrote to memory of 2024 3356 cmd.exe 194 PID 3356 wrote to memory of 2024 3356 cmd.exe 194 PID 2024 wrote to memory of 1152 2024 upfc.exe 196 PID 2024 wrote to memory of 1152 2024 upfc.exe 196 PID 1152 wrote to memory of 1740 1152 cmd.exe 198 PID 1152 wrote to memory of 1740 1152 cmd.exe 198 PID 1152 wrote to memory of 4000 1152 cmd.exe 200 PID 1152 wrote to memory of 4000 1152 cmd.exe 200 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fonts\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:552
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4100
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4636
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1740
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat"14⤵PID:3636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3020
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"16⤵PID:4768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1392
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"18⤵PID:2836
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3812
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat"20⤵PID:4076
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:4704
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"22⤵PID:4760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3080
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"24⤵PID:2152
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:4536
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"26⤵PID:412
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1232
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat"28⤵PID:2904
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:704
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVj8bjUD5N.bat"30⤵PID:3540
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:1472
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\providercommon\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\ja-JP\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\providercommon\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\attachments\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
191B
MD525c1ce465f3232d7408c848deed5a058
SHA12f4b68cd2057470c8d5ef65890a9681a8ad7d1c7
SHA256efd7b719fe804a6f0387af0314a469b88869b71af43c26a07058e8c33ed56287
SHA5125c53e215d3b833b1577648aadf64b73b436704d16fef598e9271dc5dc10bdec857637eb6bfddba88ed254fd30a4d929b4565668c2b3962a67e48539b9292dc20
-
Filesize
191B
MD5bf41e38abe97c54108d9727e66c34777
SHA12ef0477a8537f08afde9b3a4996fa93d60e36911
SHA2564825ec7a065be1f7471467fee548cdcec411b922cc3c83cf5f404dfaba38def1
SHA512fb6ea3d1a65ffc61f6b8743bde8f209f2ce0f32aefb0ecbd603bca17c3082c711a8f6b3f38d29eda5594fdbf2055ddab949b3b96b4d1ed388c8033d294591933
-
Filesize
191B
MD5bde79f9c8ecdb757a49dc455300bed2d
SHA1ee643ff5691a28a0ac833cab541a963bc63e14d8
SHA256ed86e80668121d03abff52fc9975d1f11daba3d0fb902c9fb5b9b3dba9a6109f
SHA512c6ecfa210f3499d11e0155583c6d12d299a01fa4c48761a1e671d13a925afd0adc9b2e54f55d27fd88609662952315bca36cf64053fbb2e0290899db1267f1c3
-
Filesize
191B
MD566a8683d954a27ca96056cbcff015fca
SHA1eba1670f8c540c77700700f47002fbecfa796c8b
SHA2569b7f3d0a631b3b1dc99b55ef35995282ea47d83d0a84a11f81f87d2e37d41cf1
SHA51295754cc55e758115eb9bdcb734b84d44c0a931831ffbeede4037ac2fe80b2143ae01c047f581e8224b27e73c19692972332a5fa5af78dd445806d300451cf4a9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
191B
MD537ec03f5deafad7a4f2403fb066abc0d
SHA1207c26ec53a1cd2ec2397bf749992090235d2961
SHA256b849f23ceae366c5018985f387ce9b734af81d5bce0c06d7f08b39ce502e694e
SHA512e04a0a3c4a0de81740bb8df75b6d15481009e75bf42da2c6774462725e59eb179e074fb06fa9231f56c7f1adfed79ed367f271bfdd7b48a565f6a2db351f0de7
-
Filesize
191B
MD555ff5a214678a2f0eb9462267ae4a353
SHA181a21219de2ef507ef90cb3ef942c22788e28455
SHA25663f123c21d3c698108ffa10da6ea3edaf0546781e461b590c65394c20e28306c
SHA512153b67097715d1aac9ae92046ebba849487ff85ac01e764001b790d1b1296993a327ea23f4d73232047487a3b8b9edc5b2105eeb42211209a9efa188ac581e39
-
Filesize
191B
MD5c55fa3b6286989162b76a5e549819557
SHA197b35b37c18fbfd7088acfb9f248703507ea6645
SHA25605ebf92e27f5c564b7e5394ed4554f7638db0cdc16dfab79131f49dc2b535a93
SHA512ab1332460d694c292d2202136e362202159cd15a4ac8c575f043ac37d433f718407947d75b60b7ecd7c82a8ec8c055e72ffe7185568df517c29af8b2907d163f
-
Filesize
191B
MD5b5aeae4be80225609f1c564b5844fe29
SHA1f765fb3b6dd0fe40f72ed4d20fec9890872921f6
SHA2569b0a2a7bc0a269e3cdb2626e2d210e216ab68fe8611f421d2a33b650f1ed11b8
SHA512871598aee8098ea9db1a01039e1f1d0915690d5e00d5609bcd453d4416b29ce9bcd956e7831ed17fc22c3df1f4486cc84cebcc4b9afc7e26ff6bf3f9ee794edd
-
Filesize
191B
MD5c92a8051f282d96dffe2995db8ab9358
SHA144b9998b480e8a85425654abb071254d9d4eb44c
SHA256f045b25bf1291cab2aae87c4ac8ba8ae1af81524f52ecfc756a31172dd904319
SHA512586c681c6532d5397429b56e3b540aa83932098c9f7f4d42acf788676904c68d493680735fb0ed6cc32bd4672b30839b1c226e6dedd407cc07804427ef5bb740
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478