Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 17:29
Behavioral task
behavioral1
Sample
JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe
-
Size
1.3MB
-
MD5
45abae4551848db4192410cf2de05722
-
SHA1
9c1920b0be236b01a24120083bbc010ac2474c9b
-
SHA256
c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb
-
SHA512
84fb19bdb72fb4dbce82f369d135efb27952917e204ffaa7b9f4fc085a222b821ac0b8d0ebf6583e5d0bac998b2f95531a6a34d6849b353d9ad65bfc63f8d3ac
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4012 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4264 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 816 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3240 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3084 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3104 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4200 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1172 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4036 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3756 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3580 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 3148 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 3148 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000a000000023b9b-9.dat dcrat behavioral2/memory/4812-13-0x0000000000EE0000-0x0000000000FF0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4800 powershell.exe 1124 powershell.exe 1192 powershell.exe 1072 powershell.exe 1504 powershell.exe 3612 powershell.exe 1496 powershell.exe 1544 powershell.exe 3928 powershell.exe 4460 powershell.exe 3524 powershell.exe 2124 powershell.exe 4224 powershell.exe 1960 powershell.exe 1440 powershell.exe 1344 powershell.exe 1772 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wininit.exe -
Executes dropped EXE 14 IoCs
pid Process 4812 DllCommonsvc.exe 4228 wininit.exe 3616 wininit.exe 4056 wininit.exe 2028 wininit.exe 1968 wininit.exe 2564 wininit.exe 4900 wininit.exe 1964 wininit.exe 4776 wininit.exe 1000 wininit.exe 4008 wininit.exe 1032 wininit.exe 2564 wininit.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 41 raw.githubusercontent.com 43 raw.githubusercontent.com 53 raw.githubusercontent.com 59 raw.githubusercontent.com 42 raw.githubusercontent.com 56 raw.githubusercontent.com 16 raw.githubusercontent.com 57 raw.githubusercontent.com 14 raw.githubusercontent.com 24 raw.githubusercontent.com 47 raw.githubusercontent.com 48 raw.githubusercontent.com 55 raw.githubusercontent.com 58 raw.githubusercontent.com -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office16\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\unsecapp.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\en-US\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\upfc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\ea1d8f6d871115 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\en-US\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\886983d96e3d3e DllCommonsvc.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\unsecapp.exe DllCommonsvc.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\29c1c3cc0f7685 DllCommonsvc.exe File created C:\Program Files\MSBuild\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office16\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\121e5b5079f7c0 DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\fr-FR\fontdrvhost.exe DllCommonsvc.exe File created C:\Windows\fr-FR\5b884080fd4f94 DllCommonsvc.exe File created C:\Windows\LiveKernelReports\spoolsv.exe DllCommonsvc.exe File created C:\Windows\LiveKernelReports\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\Microsoft.NET\Registry.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\ee2ad38f3d4382 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings wininit.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1692 schtasks.exe 3084 schtasks.exe 2008 schtasks.exe 4444 schtasks.exe 4512 schtasks.exe 4200 schtasks.exe 400 schtasks.exe 324 schtasks.exe 864 schtasks.exe 3240 schtasks.exe 2620 schtasks.exe 1492 schtasks.exe 3104 schtasks.exe 2144 schtasks.exe 4192 schtasks.exe 2816 schtasks.exe 2120 schtasks.exe 1112 schtasks.exe 2560 schtasks.exe 3032 schtasks.exe 2536 schtasks.exe 4808 schtasks.exe 3580 schtasks.exe 4724 schtasks.exe 432 schtasks.exe 316 schtasks.exe 3588 schtasks.exe 4300 schtasks.exe 792 schtasks.exe 4628 schtasks.exe 3520 schtasks.exe 3436 schtasks.exe 4868 schtasks.exe 5104 schtasks.exe 816 schtasks.exe 1144 schtasks.exe 1172 schtasks.exe 4036 schtasks.exe 2148 schtasks.exe 4208 schtasks.exe 4264 schtasks.exe 4952 schtasks.exe 1580 schtasks.exe 2568 schtasks.exe 3756 schtasks.exe 4508 schtasks.exe 2884 schtasks.exe 4012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4812 DllCommonsvc.exe 4812 DllCommonsvc.exe 4812 DllCommonsvc.exe 4812 DllCommonsvc.exe 4812 DllCommonsvc.exe 4812 DllCommonsvc.exe 1544 powershell.exe 1544 powershell.exe 1440 powershell.exe 1440 powershell.exe 1772 powershell.exe 1772 powershell.exe 1192 powershell.exe 1192 powershell.exe 1072 powershell.exe 1072 powershell.exe 1960 powershell.exe 1960 powershell.exe 4460 powershell.exe 4460 powershell.exe 1504 powershell.exe 1504 powershell.exe 1344 powershell.exe 1344 powershell.exe 4800 powershell.exe 4800 powershell.exe 1496 powershell.exe 1496 powershell.exe 3524 powershell.exe 3524 powershell.exe 2124 powershell.exe 2124 powershell.exe 3928 powershell.exe 3928 powershell.exe 3612 powershell.exe 3612 powershell.exe 4224 powershell.exe 4224 powershell.exe 1124 powershell.exe 1124 powershell.exe 4228 wininit.exe 4228 wininit.exe 3524 powershell.exe 4224 powershell.exe 3928 powershell.exe 1544 powershell.exe 1544 powershell.exe 1440 powershell.exe 1192 powershell.exe 4800 powershell.exe 4460 powershell.exe 1496 powershell.exe 1072 powershell.exe 1504 powershell.exe 1772 powershell.exe 1960 powershell.exe 3612 powershell.exe 2124 powershell.exe 1344 powershell.exe 1124 powershell.exe 3616 wininit.exe 4056 wininit.exe 2028 wininit.exe 1968 wininit.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 4812 DllCommonsvc.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 1440 powershell.exe Token: SeDebugPrivilege 1192 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 4460 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 4228 wininit.exe Token: SeDebugPrivilege 1344 powershell.exe Token: SeDebugPrivilege 4800 powershell.exe Token: SeDebugPrivilege 1496 powershell.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeDebugPrivilege 3524 powershell.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 3928 powershell.exe Token: SeDebugPrivilege 3612 powershell.exe Token: SeDebugPrivilege 4224 powershell.exe Token: SeDebugPrivilege 3616 wininit.exe Token: SeDebugPrivilege 4056 wininit.exe Token: SeDebugPrivilege 2028 wininit.exe Token: SeDebugPrivilege 1968 wininit.exe Token: SeDebugPrivilege 2564 wininit.exe Token: SeDebugPrivilege 4900 wininit.exe Token: SeDebugPrivilege 1964 wininit.exe Token: SeDebugPrivilege 4776 wininit.exe Token: SeDebugPrivilege 1000 wininit.exe Token: SeDebugPrivilege 4008 wininit.exe Token: SeDebugPrivilege 1032 wininit.exe Token: SeDebugPrivilege 2564 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4732 wrote to memory of 2396 4732 JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe 82 PID 4732 wrote to memory of 2396 4732 JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe 82 PID 4732 wrote to memory of 2396 4732 JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe 82 PID 2396 wrote to memory of 4428 2396 WScript.exe 83 PID 2396 wrote to memory of 4428 2396 WScript.exe 83 PID 2396 wrote to memory of 4428 2396 WScript.exe 83 PID 4428 wrote to memory of 4812 4428 cmd.exe 85 PID 4428 wrote to memory of 4812 4428 cmd.exe 85 PID 4812 wrote to memory of 3612 4812 DllCommonsvc.exe 135 PID 4812 wrote to memory of 3612 4812 DllCommonsvc.exe 135 PID 4812 wrote to memory of 1496 4812 DllCommonsvc.exe 136 PID 4812 wrote to memory of 1496 4812 DllCommonsvc.exe 136 PID 4812 wrote to memory of 4800 4812 DllCommonsvc.exe 137 PID 4812 wrote to memory of 4800 4812 DllCommonsvc.exe 137 PID 4812 wrote to memory of 2124 4812 DllCommonsvc.exe 138 PID 4812 wrote to memory of 2124 4812 DllCommonsvc.exe 138 PID 4812 wrote to memory of 4224 4812 DllCommonsvc.exe 139 PID 4812 wrote to memory of 4224 4812 DllCommonsvc.exe 139 PID 4812 wrote to memory of 1544 4812 DllCommonsvc.exe 140 PID 4812 wrote to memory of 1544 4812 DllCommonsvc.exe 140 PID 4812 wrote to memory of 1960 4812 DllCommonsvc.exe 141 PID 4812 wrote to memory of 1960 4812 DllCommonsvc.exe 141 PID 4812 wrote to memory of 3928 4812 DllCommonsvc.exe 142 PID 4812 wrote to memory of 3928 4812 DllCommonsvc.exe 142 PID 4812 wrote to memory of 3524 4812 DllCommonsvc.exe 143 PID 4812 wrote to memory of 3524 4812 DllCommonsvc.exe 143 PID 4812 wrote to memory of 1504 4812 DllCommonsvc.exe 144 PID 4812 wrote to memory of 1504 4812 DllCommonsvc.exe 144 PID 4812 wrote to memory of 1192 4812 DllCommonsvc.exe 145 PID 4812 wrote to memory of 1192 4812 DllCommonsvc.exe 145 PID 4812 wrote to memory of 1772 4812 DllCommonsvc.exe 146 PID 4812 wrote to memory of 1772 4812 DllCommonsvc.exe 146 PID 4812 wrote to memory of 1344 4812 DllCommonsvc.exe 147 PID 4812 wrote to memory of 1344 4812 DllCommonsvc.exe 147 PID 4812 wrote to memory of 1124 4812 DllCommonsvc.exe 148 PID 4812 wrote to memory of 1124 4812 DllCommonsvc.exe 148 PID 4812 wrote to memory of 1440 4812 DllCommonsvc.exe 149 PID 4812 wrote to memory of 1440 4812 DllCommonsvc.exe 149 PID 4812 wrote to memory of 1072 4812 DllCommonsvc.exe 150 PID 4812 wrote to memory of 1072 4812 DllCommonsvc.exe 150 PID 4812 wrote to memory of 4460 4812 DllCommonsvc.exe 151 PID 4812 wrote to memory of 4460 4812 DllCommonsvc.exe 151 PID 4812 wrote to memory of 4228 4812 DllCommonsvc.exe 169 PID 4812 wrote to memory of 4228 4812 DllCommonsvc.exe 169 PID 4228 wrote to memory of 3980 4228 wininit.exe 173 PID 4228 wrote to memory of 3980 4228 wininit.exe 173 PID 3980 wrote to memory of 2272 3980 cmd.exe 175 PID 3980 wrote to memory of 2272 3980 cmd.exe 175 PID 3980 wrote to memory of 3616 3980 cmd.exe 179 PID 3980 wrote to memory of 3616 3980 cmd.exe 179 PID 3616 wrote to memory of 3268 3616 wininit.exe 181 PID 3616 wrote to memory of 3268 3616 wininit.exe 181 PID 3268 wrote to memory of 4276 3268 cmd.exe 183 PID 3268 wrote to memory of 4276 3268 cmd.exe 183 PID 3268 wrote to memory of 4056 3268 cmd.exe 184 PID 3268 wrote to memory of 4056 3268 cmd.exe 184 PID 4056 wrote to memory of 2016 4056 wininit.exe 186 PID 4056 wrote to memory of 2016 4056 wininit.exe 186 PID 2016 wrote to memory of 2148 2016 cmd.exe 188 PID 2016 wrote to memory of 2148 2016 cmd.exe 188 PID 2016 wrote to memory of 2028 2016 cmd.exe 189 PID 2016 wrote to memory of 2028 2016 cmd.exe 189 PID 2028 wrote to memory of 4424 2028 wininit.exe 190 PID 2028 wrote to memory of 4424 2028 wininit.exe 190 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c507802eede7343e1b5f44f4a3e52b479f454b621b0803cf953aae1d972ebccb.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\unsecapp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\en-US\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2272
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4276
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2148
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gozseo6rLH.bat"12⤵PID:4424
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2364
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"14⤵PID:3348
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1400
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"16⤵PID:3324
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2892
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat"18⤵PID:4756
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2312
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JbtrqXgYk1.bat"20⤵PID:3588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:4840
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"22⤵PID:1492
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:5100
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"24⤵PID:4056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:4664
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gozseo6rLH.bat"26⤵PID:1732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:3640
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"28⤵PID:1328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:4864
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"30⤵PID:1772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:4152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\MSBuild\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office16\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
194B
MD530398b1d2eb2f75b81859679eb1fcb08
SHA199986b47f57b16c1c94f4c44cb480137505c33d1
SHA25663ddb68fef365b0d6220769ebb49a04e28948f57700eaa14a1aa33e35287e210
SHA512b265f762403dabe559ae145120ca652910025be509d135091a7ea1c674810e7cc9c795ca17a29181c21ba3623f650f3d2d237f5424503a9b7ea4e44d146041e3
-
Filesize
194B
MD5a39c049131a4f4f60d356b239490e19a
SHA17f4bb3a79d5de0e2efab9b7e7a8a45353253497e
SHA2566be3510e4a82c5f3cb6d7f4177c8dca573d996b6cfd57e2cf327f2cc0a204e52
SHA51231126515c19b495cc9e62b467e6467af41e1a86d4fc73219a887615c7e30bd397036db13d0d13a47e7b3f888846e08fb70c80242d6c3ab388242623996322489
-
Filesize
194B
MD506c49d90abb466787487347f4cdbc25c
SHA17809bac3afb77e1e09043993c78a76183c1428ad
SHA256211ebd96f1fadb6027d6da7d8d6e48a77d70745f69a68bc20ca3d7f892d9a2e1
SHA51219a9666890c0161e1c2977f0b7ecf8bd4765410b2020d356282e15cf5138e46e5347189c41aeea91ba83526403fbfa18f439023f9170e6659316bece950107f4
-
Filesize
194B
MD50a0be8595e7f677f187fcd565d11017c
SHA189df83231dac5f28aa632ef35a34a552bc521072
SHA256e9e8325b2a949d51d97a64d0e21ae095771150db8ad83355445994f53b896c30
SHA5127e26783b29e8e689ab3393329401e64be3499efd5750915907064e554996af332eccf0e678388be41f46a5f180bfa186c82d693912112b4b5d617934f8233a42
-
Filesize
194B
MD56ab84b01a3e286e0e7b7dec16971ac34
SHA158da3a0d70cc8ffc51bdeaf6b2c74f15ae599247
SHA256c3a6d39b34d2ee4cc9c613ca675524993a2d90f671c0402ef945c8195444bb43
SHA512e1654e7ebb4d4333d5218bf94df4afd0f9b566be767d6c21d6ed84fb0443ff2e654c61eb95bb2f58dbb0095422d5cc608e5b39605379c508613c874a94d754a9
-
Filesize
194B
MD5f479a2dd5f7532ab56c103070f142f79
SHA1e67c5dcaa459c7365f0d8588634e671ab70a788d
SHA256056b6a17195ee132de10217f2cd8ff24f8ef6e9d74ff6b6fdb75e36cc4178d4f
SHA51278c2b48856e859a989e518b14ec03e6de870cd7414b9493f75d1021875c60d47ed4706dcf7b6ad97a4601341faf1d9f8a1b86d071ffe648ae96a3be497693491
-
Filesize
194B
MD5cda53cc391882e4e715e80ec4ee337b5
SHA1fb535c9853ffaff9049575490aa0d2b1cd0c85dc
SHA256d6f688609050e2c8ab5db97d501bea06c26f43eff910db6a0d7f8652d098034a
SHA512975cc32b65352f0fa373b4e43da0ea6f7e8a7fcafd37c4cce37688dd2ffc854bc8c08ddb44dfa30a5d041cb8eabee271efd11a4ed8ad5144c2595e8a9669be8b
-
Filesize
194B
MD590237db909bbed7648288c362c92eee2
SHA10e3b8b97aa9afaf351a061967939183a639ede41
SHA2569c0ab80f41f52df8b57d317645d1cd35f6ede64b1c5dc5f7cb547349f28ff587
SHA5120687b83f47544aa9e325a62b9c7c481abfb67e0173960fecc4baf02ad1e01bf862a019e0a3a0bf86b78d3d01d511210534cbc9496d555b2660de544c375aa3fd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
194B
MD5f700db4d55f4ea865841097b89868bc0
SHA1954f84c0dda836211868a348cf09298f451fa0a8
SHA2568e62861e5271bae7b81f0fec0a28e5e6f628cdcfebc0077f2a2ff7c761dbac6d
SHA512ef3afb55ef760de86ff64fba4390792555ce10f604b21004fbb4f90f13e8d35f9a5cd2709ef721698404e9ac49f3432cd255476946858b8e2b67efd78ab982f0
-
Filesize
194B
MD5cf67aba28560ddf0d9a378eb2c4e3db7
SHA1d82a478e64e1d4d1e6f458163d32ddcab7f6c483
SHA2564bb4813694e9e3a10327154d578be2615c990f983d33970a5fc1a681ea4eb0b6
SHA512b3bdd42412f33996ccc8e2e29cf37207fbf2a0a268be0d63235e1c9ede55a7461050986f45385467773f7ad1799044945af09c915dcf69a97978b327aa7600f7
-
Filesize
194B
MD52f2217f8e2016217ef4ac792a503caaa
SHA1c3849f7f3f8d9cbed150947bb64f56fe474daac1
SHA256490f22dfd2e963c32736341f87ceb289c91d947ca8a1ee404c35090d2d418b6f
SHA51223a7383c0f7c693af9f6b2a6e4dcabaf23e79a5ebffcd96667c8903d3fe7ddc5d365b1f6a733925b7b610a3ad27c96537e755d1f6ffec353c130183657f30d28
-
Filesize
194B
MD5c03135d38182691bb4ca05586a74c9af
SHA19594ff54ce3187c728979d6df3de8d95fcfb9a9a
SHA25638cd1c62c25c106236b3f19f10f4a1e8ef910657f7022c447e4c77a814ab6ea1
SHA512cb58dbc883525528a96e7badcd29879d0974c1971f63eb9267f6405c5d8a8fe15af9ca5ff40f0ebedd48230f79176ffe309b06bbee237f73760b04819671022f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478