Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 02:04
Behavioral task
behavioral1
Sample
JaffaCakes118_6d7c98f964bdc3b7320f476280ad26589626d7645eda3e08f20f47d97e4dfea2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6d7c98f964bdc3b7320f476280ad26589626d7645eda3e08f20f47d97e4dfea2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6d7c98f964bdc3b7320f476280ad26589626d7645eda3e08f20f47d97e4dfea2.exe
-
Size
1.3MB
-
MD5
1346468d0e6e358f869080284fadaec5
-
SHA1
c133f35794ba2ae201d515e011f66a3937745b01
-
SHA256
6d7c98f964bdc3b7320f476280ad26589626d7645eda3e08f20f47d97e4dfea2
-
SHA512
d1a5cbe047e8c4191bfa76afd868607a667dc329dce5bea710119cc36b8e4f3477b8cc2fbb0fd3baad83668ae0b1f71eda035e7effd22999a72d0bf9f31d1413
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4256 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3464 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5064 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3384 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 416 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3716 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 1188 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 1188 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x0007000000023c88-10.dat dcrat behavioral2/memory/4208-13-0x00000000006B0000-0x00000000007C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4036 powershell.exe 3832 powershell.exe 2372 powershell.exe 1732 powershell.exe 4780 powershell.exe 2616 powershell.exe 624 powershell.exe 880 powershell.exe 3324 powershell.exe 2176 powershell.exe 1880 powershell.exe 1520 powershell.exe 3452 powershell.exe 740 powershell.exe 3188 powershell.exe 1388 powershell.exe 1164 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_6d7c98f964bdc3b7320f476280ad26589626d7645eda3e08f20f47d97e4dfea2.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Executes dropped EXE 15 IoCs
pid Process 4208 DllCommonsvc.exe 1004 fontdrvhost.exe 4052 fontdrvhost.exe 4544 fontdrvhost.exe 4456 fontdrvhost.exe 1236 fontdrvhost.exe 3692 fontdrvhost.exe 440 fontdrvhost.exe 2908 fontdrvhost.exe 3244 fontdrvhost.exe 984 fontdrvhost.exe 1816 fontdrvhost.exe 2084 fontdrvhost.exe 1148 fontdrvhost.exe 1128 fontdrvhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 26 raw.githubusercontent.com 47 raw.githubusercontent.com 55 raw.githubusercontent.com 58 raw.githubusercontent.com 15 raw.githubusercontent.com 39 raw.githubusercontent.com 41 raw.githubusercontent.com 42 raw.githubusercontent.com 46 raw.githubusercontent.com 48 raw.githubusercontent.com 16 raw.githubusercontent.com 54 raw.githubusercontent.com 56 raw.githubusercontent.com 57 raw.githubusercontent.com -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\en-US\66fc9ff0ee96c2 DllCommonsvc.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\55b276f4edf653 DllCommonsvc.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files\MSBuild\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\ea9f0e6c9e2dcd DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe DllCommonsvc.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Prefetch\ReadyBoot\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\OCR\de-de\unsecapp.exe DllCommonsvc.exe File created C:\Windows\ServiceProfiles\NetworkService\Links\explorer.exe DllCommonsvc.exe File created C:\Windows\ServiceProfiles\NetworkService\Links\7a0fd90576e088 DllCommonsvc.exe File created C:\Windows\schemas\EAPMethods\spoolsv.exe DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\cmd.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6d7c98f964bdc3b7320f476280ad26589626d7645eda3e08f20f47d97e4dfea2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings JaffaCakes118_6d7c98f964bdc3b7320f476280ad26589626d7645eda3e08f20f47d97e4dfea2.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings fontdrvhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1812 schtasks.exe 4544 schtasks.exe 4496 schtasks.exe 4416 schtasks.exe 2228 schtasks.exe 5076 schtasks.exe 2776 schtasks.exe 1980 schtasks.exe 1128 schtasks.exe 1748 schtasks.exe 4504 schtasks.exe 2236 schtasks.exe 2120 schtasks.exe 3384 schtasks.exe 4892 schtasks.exe 2172 schtasks.exe 416 schtasks.exe 2408 schtasks.exe 4256 schtasks.exe 3464 schtasks.exe 2124 schtasks.exe 2036 schtasks.exe 208 schtasks.exe 2712 schtasks.exe 4616 schtasks.exe 1428 schtasks.exe 2620 schtasks.exe 1532 schtasks.exe 4840 schtasks.exe 1140 schtasks.exe 4952 schtasks.exe 4908 schtasks.exe 5020 schtasks.exe 4860 schtasks.exe 5064 schtasks.exe 1876 schtasks.exe 4336 schtasks.exe 908 schtasks.exe 2040 schtasks.exe 4596 schtasks.exe 4604 schtasks.exe 3716 schtasks.exe 4568 schtasks.exe 2444 schtasks.exe 2292 schtasks.exe 3684 schtasks.exe 4536 schtasks.exe 4520 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 4208 DllCommonsvc.exe 3452 powershell.exe 3452 powershell.exe 624 powershell.exe 624 powershell.exe 740 powershell.exe 740 powershell.exe 1388 powershell.exe 1388 powershell.exe 2616 powershell.exe 2616 powershell.exe 1164 powershell.exe 1164 powershell.exe 2176 powershell.exe 2176 powershell.exe 4036 powershell.exe 4036 powershell.exe 3188 powershell.exe 3188 powershell.exe 880 powershell.exe 880 powershell.exe 1880 powershell.exe 1880 powershell.exe 3832 powershell.exe 3832 powershell.exe 4780 powershell.exe 4780 powershell.exe 3324 powershell.exe 3324 powershell.exe 1520 powershell.exe 1520 powershell.exe 2372 powershell.exe 2372 powershell.exe 1732 powershell.exe 1732 powershell.exe 3324 powershell.exe 2372 powershell.exe 1004 fontdrvhost.exe 1004 fontdrvhost.exe 740 powershell.exe 3452 powershell.exe 1388 powershell.exe 3188 powershell.exe 2616 powershell.exe 1732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 4208 DllCommonsvc.exe Token: SeDebugPrivilege 3452 powershell.exe Token: SeDebugPrivilege 624 powershell.exe Token: SeDebugPrivilege 740 powershell.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 3188 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 3832 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 4780 powershell.exe Token: SeDebugPrivilege 1004 fontdrvhost.exe Token: SeDebugPrivilege 4052 fontdrvhost.exe Token: SeDebugPrivilege 4544 fontdrvhost.exe Token: SeDebugPrivilege 4456 fontdrvhost.exe Token: SeDebugPrivilege 1236 fontdrvhost.exe Token: SeDebugPrivilege 3692 fontdrvhost.exe Token: SeDebugPrivilege 440 fontdrvhost.exe Token: SeDebugPrivilege 2908 fontdrvhost.exe Token: SeDebugPrivilege 3244 fontdrvhost.exe Token: SeDebugPrivilege 984 fontdrvhost.exe Token: SeDebugPrivilege 1816 fontdrvhost.exe Token: SeDebugPrivilege 2084 fontdrvhost.exe Token: SeDebugPrivilege 1148 fontdrvhost.exe Token: SeDebugPrivilege 1128 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3292 wrote to memory of 2896 3292 JaffaCakes118_6d7c98f964bdc3b7320f476280ad26589626d7645eda3e08f20f47d97e4dfea2.exe 82 PID 3292 wrote to memory of 2896 3292 JaffaCakes118_6d7c98f964bdc3b7320f476280ad26589626d7645eda3e08f20f47d97e4dfea2.exe 82 PID 3292 wrote to memory of 2896 3292 JaffaCakes118_6d7c98f964bdc3b7320f476280ad26589626d7645eda3e08f20f47d97e4dfea2.exe 82 PID 2896 wrote to memory of 540 2896 WScript.exe 83 PID 2896 wrote to memory of 540 2896 WScript.exe 83 PID 2896 wrote to memory of 540 2896 WScript.exe 83 PID 540 wrote to memory of 4208 540 cmd.exe 85 PID 540 wrote to memory of 4208 540 cmd.exe 85 PID 4208 wrote to memory of 624 4208 DllCommonsvc.exe 135 PID 4208 wrote to memory of 624 4208 DllCommonsvc.exe 135 PID 4208 wrote to memory of 3452 4208 DllCommonsvc.exe 136 PID 4208 wrote to memory of 3452 4208 DllCommonsvc.exe 136 PID 4208 wrote to memory of 4036 4208 DllCommonsvc.exe 137 PID 4208 wrote to memory of 4036 4208 DllCommonsvc.exe 137 PID 4208 wrote to memory of 3832 4208 DllCommonsvc.exe 138 PID 4208 wrote to memory of 3832 4208 DllCommonsvc.exe 138 PID 4208 wrote to memory of 740 4208 DllCommonsvc.exe 139 PID 4208 wrote to memory of 740 4208 DllCommonsvc.exe 139 PID 4208 wrote to memory of 880 4208 DllCommonsvc.exe 140 PID 4208 wrote to memory of 880 4208 DllCommonsvc.exe 140 PID 4208 wrote to memory of 2176 4208 DllCommonsvc.exe 141 PID 4208 wrote to memory of 2176 4208 DllCommonsvc.exe 141 PID 4208 wrote to memory of 1880 4208 DllCommonsvc.exe 142 PID 4208 wrote to memory of 1880 4208 DllCommonsvc.exe 142 PID 4208 wrote to memory of 3188 4208 DllCommonsvc.exe 143 PID 4208 wrote to memory of 3188 4208 DllCommonsvc.exe 143 PID 4208 wrote to memory of 1388 4208 DllCommonsvc.exe 144 PID 4208 wrote to memory of 1388 4208 DllCommonsvc.exe 144 PID 4208 wrote to memory of 2616 4208 DllCommonsvc.exe 145 PID 4208 wrote to memory of 2616 4208 DllCommonsvc.exe 145 PID 4208 wrote to memory of 1164 4208 DllCommonsvc.exe 146 PID 4208 wrote to memory of 1164 4208 DllCommonsvc.exe 146 PID 4208 wrote to memory of 1520 4208 DllCommonsvc.exe 147 PID 4208 wrote to memory of 1520 4208 DllCommonsvc.exe 147 PID 4208 wrote to memory of 4780 4208 DllCommonsvc.exe 148 PID 4208 wrote to memory of 4780 4208 DllCommonsvc.exe 148 PID 4208 wrote to memory of 1732 4208 DllCommonsvc.exe 149 PID 4208 wrote to memory of 1732 4208 DllCommonsvc.exe 149 PID 4208 wrote to memory of 2372 4208 DllCommonsvc.exe 150 PID 4208 wrote to memory of 2372 4208 DllCommonsvc.exe 150 PID 4208 wrote to memory of 3324 4208 DllCommonsvc.exe 173 PID 4208 wrote to memory of 3324 4208 DllCommonsvc.exe 173 PID 4208 wrote to memory of 1004 4208 DllCommonsvc.exe 169 PID 4208 wrote to memory of 1004 4208 DllCommonsvc.exe 169 PID 1004 wrote to memory of 4496 1004 fontdrvhost.exe 170 PID 1004 wrote to memory of 4496 1004 fontdrvhost.exe 170 PID 4496 wrote to memory of 1548 4496 cmd.exe 172 PID 4496 wrote to memory of 1548 4496 cmd.exe 172 PID 4496 wrote to memory of 4052 4496 cmd.exe 176 PID 4496 wrote to memory of 4052 4496 cmd.exe 176 PID 4052 wrote to memory of 1828 4052 fontdrvhost.exe 180 PID 4052 wrote to memory of 1828 4052 fontdrvhost.exe 180 PID 1828 wrote to memory of 1680 1828 cmd.exe 182 PID 1828 wrote to memory of 1680 1828 cmd.exe 182 PID 1828 wrote to memory of 4544 1828 cmd.exe 183 PID 1828 wrote to memory of 4544 1828 cmd.exe 183 PID 4544 wrote to memory of 1732 4544 fontdrvhost.exe 186 PID 4544 wrote to memory of 1732 4544 fontdrvhost.exe 186 PID 1732 wrote to memory of 1832 1732 cmd.exe 188 PID 1732 wrote to memory of 1832 1732 cmd.exe 188 PID 1732 wrote to memory of 4456 1732 cmd.exe 189 PID 1732 wrote to memory of 4456 1732 cmd.exe 189 PID 4456 wrote to memory of 1852 4456 fontdrvhost.exe 190 PID 4456 wrote to memory of 1852 4456 fontdrvhost.exe 190 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d7c98f964bdc3b7320f476280ad26589626d7645eda3e08f20f47d97e4dfea2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d7c98f964bdc3b7320f476280ad26589626d7645eda3e08f20f47d97e4dfea2.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\unsecapp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\Links\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1548
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1680
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1832
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"12⤵PID:1852
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:5064
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"14⤵PID:2440
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3080
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"16⤵PID:2728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4980
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat"18⤵PID:1548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3340
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"20⤵PID:4264
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:452
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"22⤵PID:3864
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3188
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"24⤵PID:712
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3444
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"26⤵PID:1524
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4844
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat"28⤵PID:2488
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2932
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"30⤵PID:2612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:2228
-
-
C:\providercommon\fontdrvhost.exe"C:\providercommon\fontdrvhost.exe"31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\providercommon\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\SoftwareDistribution\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\SoftwareDistribution\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Documents\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Documents\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\NetworkService\Links\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Links\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\NetworkService\Links\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 3b2c3886576500ed840a10d34e9610fa mrFC+rsD70Kg6KgdqbtCyg.0.1.0.0.01⤵PID:3324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
198B
MD5a9640e15fe54ac2a60ecc14835eb0d79
SHA10142fbc082573b7ec42b4414ee4a97558ca9497b
SHA25663a162ad073293036307997f34d03fbb8f49a55740c6394b0e1c7360014cc51d
SHA5125b7aa6f9ade29243d7949f66451e69fb93c9b2572849dcd4f7a548033c49f3c703c68fc2a7a73b676d6e281189a7e72b7e052986dfa40277f64dd8a5aa1107d0
-
Filesize
198B
MD576eab2cb26a66e73bb29ae40d8cc834e
SHA121521cd9623c302dbb1031543f1e928d4a730490
SHA2562103322424afcac1298c5c8172665fa38a749694fe78b0f3ba42bd5616af3c2f
SHA512b0b1264afca86df1fe8f722713d06b97c5f97d9abf457fc44ccc30afe005147e54497c97f96294c0f7896454af010f69fc7f9b5f153c40558bb1e4d18e3b7ac5
-
Filesize
198B
MD56354ef664174b920b731386b5fdda0d5
SHA1aa953d85711998069d66c8d06a6bb3befa6bda27
SHA256cc9518e7ab196f5aafd2137410cf845e2460553c33c6b95f87c8623fc5d082db
SHA51220d2916f9239876d93419473b707636ae515add0442b21ec6a946d26be8c3d19cc2b76c5ffec6c9e57c07e88917d7d84ea68e1e56972036534367eafc83f4be0
-
Filesize
198B
MD5e96001ef72ff03d9d53ab8c31c6c7662
SHA1867fe999aa3c77babb6ac2976b7c6ade69f36bf4
SHA2564fd5a0bdbc863af4fb7f3f0da361d963c27671904ed29433ec66107b15317497
SHA5128bb8b812e20022ee651977bebf9faf4260055f2bdee7c98fd2ac4852867ddc3e68c6ab6701669192a9679e952d2beff1bdc03ad4ee91aa7e7619fbed8c704484
-
Filesize
198B
MD597c6a3097a92029ccfa11d5cfe667872
SHA1c6a1d764fa324728ea38d44777a37c980ed22df2
SHA2565a7bc1b276ecbfab9471270629fa1c3304850fea600d9b71af30bebe5d01238e
SHA51278fc6fa301de35511592cd9917c8f5031d23d52268ed8c08b7454d75dca61bd63e11b2c95fad154425451f30a6bf9bc9e6a8d3782c253cbdf59d3470dad2ec5b
-
Filesize
198B
MD5dde0dc21be3d69ac187c179fded9d054
SHA19d1d88d7cca3c3e3bfb1aeac180e984b30e52818
SHA25667d02b7f71a7fd8a7ebf14d38950a898e376d0db8dd38b3cc43dc7d85e02cb58
SHA5128cc5bd34caca5c2bb752c2c54a125a751af089bd96f59b6127afb85c23ac6dc1bfedb525264ee3a697e0a42f5b4b75ec669e476f0346bd3a72978d73a975bc19
-
Filesize
198B
MD57c960a69005d2314960a53f0438280cc
SHA110b87a85deb55accba60254972177749b3c99bac
SHA256db8b58171baf192df91815858e564bbeeb5db397a72d56189c074fa3a0caca63
SHA512cf40e17f9062b1bc50e60aeed915f37530eb86fbcc2f64208265540542f9556631d5f18ee2dc5002fc02d950de198543360d0a95f4b6188b73c80f7238d63a30
-
Filesize
198B
MD5e3f998bde48b41f53b3c5dc1893a6817
SHA1e25dc691503459164d3703da377a2629a9f20d1f
SHA256fb15f8ccc70f0f6ef842e8b6f3e9a762cbddf3cf2ce6c68c8d1c93a0b2584e1f
SHA51223017848fad3a14c423476fadd0972a11e796a4e1381dc8c9d2ab5008e57334c42ce6f856bf4fc783e81e2e4b10b824458df928474bb00da5db76202d4be2b60
-
Filesize
198B
MD52b19c7c108d72060d83edb5aaa92528c
SHA1de71565a9d14bd3cc9f910a8a392e0a43ad88434
SHA25643039b68e3e0152b05b2e0bbaaf9aabb064cb52111145ff96f8559868792c0d4
SHA512463ef639ea6e628e169c0c11de8a7ce267ae919de5bdbc4dc65c94df2cabd2020a2f6dc38e89a00be5792b6efdd2e42c5768968514f96604b3729dc9328cdb57
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
198B
MD5a50feb641e2abbc0d4e566e50ab0dac6
SHA175601b4fd741c9940ab161aecdcb06c6890c2e6f
SHA2564b0ddc625f05ec472d11fb7720438d3d59fcdb11f895b965705eacf6a5d37c0e
SHA51209290af83e001c5786b2169825a58f3e29132e680fffdda0ce2aff251382bf64013818dea93a4dcf6e5df56fe01198e8c4e9e232a0e714496cf5dd30e8d9bfbd
-
Filesize
198B
MD55ae888114a0dc8f1906dd821309e5c9a
SHA1b36fc8abddc604827a432dfad3cccfb48e1a97cc
SHA2560d893bdcdab9b5b2f50664b6e887a0c54f431aad7269bf2cbbffa73250bb0e43
SHA5125c3f9df7ca198d693d50078698252734611ba326152e6fed211148714e99ad012e7cc8dba12322bfa223b3636949fd635aa695974446650e0cc741b151f2a547
-
Filesize
198B
MD57abcaf3322c56b2da25015f5b933fbdf
SHA1798524c57cbcbae4c0ecd46b43fe350c52abf29f
SHA25675eb5c9ddd7b9e04cac39c501e442cfb7834f197da7ec21d00888afffc08974e
SHA512f1d8ddeca2496bc1904b5b30f0edf4ab49525b1fc44abb3c1205fe26874242ce0152ad6269250927422704ba4ede6b4e4b51710fe1350f054c42311573144681
-
Filesize
198B
MD53cd8de44c105080ed02e73af9b378252
SHA12a688ac523abd996f5243d29682d7f8c44607fd4
SHA2560c8a37933b607aabbe94f287718a694551059c4bea7e0aa43fe37b9b6a4f8833
SHA512c03e9f955501d60147e1896e66e0b06bf612409cb3e39961bf4109b2848ef3657a97815a28c3aa7412a51ffdc08d6f6e8d15df34e6a41e8e986ad502d7701c51
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478