Analysis
-
max time kernel
140s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:09
Behavioral task
behavioral1
Sample
JaffaCakes118_4a441acbc6938d558bb14dcd5564fcfb072e244212568fdd296e29360762d6f2.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4a441acbc6938d558bb14dcd5564fcfb072e244212568fdd296e29360762d6f2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4a441acbc6938d558bb14dcd5564fcfb072e244212568fdd296e29360762d6f2.exe
-
Size
1.3MB
-
MD5
c7bbd5087c94e8178566f9c4071a67d6
-
SHA1
34b9277595aa49dd6354304b334d0fb6076916c1
-
SHA256
4a441acbc6938d558bb14dcd5564fcfb072e244212568fdd296e29360762d6f2
-
SHA512
b41c5a5bd613eb4976702c5abc8c12518c09fa84c2c95b87dc4a09762e69616d6cc96c4254fed2be50449d911da82455c2058894146310a1551ab7e9b1b848e9
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2716 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0009000000016ca5-10.dat dcrat behavioral1/memory/2460-13-0x0000000000C70000-0x0000000000D80000-memory.dmp dcrat behavioral1/memory/1924-148-0x0000000000130000-0x0000000000240000-memory.dmp dcrat behavioral1/memory/1604-222-0x0000000000940000-0x0000000000A50000-memory.dmp dcrat behavioral1/memory/2872-282-0x00000000011B0000-0x00000000012C0000-memory.dmp dcrat behavioral1/memory/1644-521-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/2536-581-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/1936-641-0x0000000001070000-0x0000000001180000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2624 powershell.exe 2764 powershell.exe 2972 powershell.exe 1724 powershell.exe 2476 powershell.exe 2440 powershell.exe 2920 powershell.exe 2928 powershell.exe 2600 powershell.exe 2728 powershell.exe 2924 powershell.exe 2704 powershell.exe 2884 powershell.exe 2708 powershell.exe 2980 powershell.exe 2160 powershell.exe 2868 powershell.exe 2168 powershell.exe 2964 powershell.exe 2712 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2460 DllCommonsvc.exe 1924 lsass.exe 1604 lsass.exe 2872 lsass.exe 372 lsass.exe 2388 lsass.exe 2840 lsass.exe 1644 lsass.exe 2536 lsass.exe 1936 lsass.exe 1992 lsass.exe -
Loads dropped DLL 2 IoCs
pid Process 2780 cmd.exe 2780 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 27 raw.githubusercontent.com 34 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 12 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Java\jre7\lib\amd64\explorer.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\lib\amd64\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\42af1c969fbb7b DllCommonsvc.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\a76d7bf15d8370 DllCommonsvc.exe File created C:\Windows\Branding\ShellBrd\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\Branding\ShellBrd\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Windows\Setup\State\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\Setup\State\24dbde2999530e DllCommonsvc.exe File created C:\Windows\Speech\dllhost.exe DllCommonsvc.exe File created C:\Windows\Speech\5940a34987c991 DllCommonsvc.exe File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\DllCommonsvc.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4a441acbc6938d558bb14dcd5564fcfb072e244212568fdd296e29360762d6f2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 572 schtasks.exe 2064 schtasks.exe 2608 schtasks.exe 2476 schtasks.exe 688 schtasks.exe 2968 schtasks.exe 1936 schtasks.exe 1516 schtasks.exe 2520 schtasks.exe 2792 schtasks.exe 2908 schtasks.exe 2948 schtasks.exe 908 schtasks.exe 1144 schtasks.exe 2616 schtasks.exe 608 schtasks.exe 2540 schtasks.exe 1500 schtasks.exe 836 schtasks.exe 1656 schtasks.exe 900 schtasks.exe 2436 schtasks.exe 1352 schtasks.exe 1856 schtasks.exe 1844 schtasks.exe 2184 schtasks.exe 2624 schtasks.exe 2592 schtasks.exe 1904 schtasks.exe 2268 schtasks.exe 2744 schtasks.exe 2168 schtasks.exe 2944 schtasks.exe 2124 schtasks.exe 1612 schtasks.exe 2636 schtasks.exe 2052 schtasks.exe 2000 schtasks.exe 2932 schtasks.exe 1764 schtasks.exe 2292 schtasks.exe 1512 schtasks.exe 2144 schtasks.exe 1924 schtasks.exe 828 schtasks.exe 2240 schtasks.exe 2708 schtasks.exe 1636 schtasks.exe 1452 schtasks.exe 1992 schtasks.exe 2056 schtasks.exe 2132 schtasks.exe 1956 schtasks.exe 1796 schtasks.exe 2360 schtasks.exe 1092 schtasks.exe 1788 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2460 DllCommonsvc.exe 2460 DllCommonsvc.exe 2460 DllCommonsvc.exe 2600 powershell.exe 2928 powershell.exe 2728 powershell.exe 2920 powershell.exe 2712 powershell.exe 2924 powershell.exe 2884 powershell.exe 2440 powershell.exe 2972 powershell.exe 2476 powershell.exe 2708 powershell.exe 1724 powershell.exe 2624 powershell.exe 2964 powershell.exe 2868 powershell.exe 2160 powershell.exe 2704 powershell.exe 2764 powershell.exe 2168 powershell.exe 2980 powershell.exe 1924 lsass.exe 1604 lsass.exe 2872 lsass.exe 372 lsass.exe 2388 lsass.exe 2840 lsass.exe 1644 lsass.exe 2536 lsass.exe 1936 lsass.exe 1992 lsass.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2460 DllCommonsvc.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 1924 lsass.exe Token: SeDebugPrivilege 1604 lsass.exe Token: SeDebugPrivilege 2872 lsass.exe Token: SeDebugPrivilege 372 lsass.exe Token: SeDebugPrivilege 2388 lsass.exe Token: SeDebugPrivilege 2840 lsass.exe Token: SeDebugPrivilege 1644 lsass.exe Token: SeDebugPrivilege 2536 lsass.exe Token: SeDebugPrivilege 1936 lsass.exe Token: SeDebugPrivilege 1992 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2352 1952 JaffaCakes118_4a441acbc6938d558bb14dcd5564fcfb072e244212568fdd296e29360762d6f2.exe 30 PID 1952 wrote to memory of 2352 1952 JaffaCakes118_4a441acbc6938d558bb14dcd5564fcfb072e244212568fdd296e29360762d6f2.exe 30 PID 1952 wrote to memory of 2352 1952 JaffaCakes118_4a441acbc6938d558bb14dcd5564fcfb072e244212568fdd296e29360762d6f2.exe 30 PID 1952 wrote to memory of 2352 1952 JaffaCakes118_4a441acbc6938d558bb14dcd5564fcfb072e244212568fdd296e29360762d6f2.exe 30 PID 2352 wrote to memory of 2780 2352 WScript.exe 31 PID 2352 wrote to memory of 2780 2352 WScript.exe 31 PID 2352 wrote to memory of 2780 2352 WScript.exe 31 PID 2352 wrote to memory of 2780 2352 WScript.exe 31 PID 2780 wrote to memory of 2460 2780 cmd.exe 33 PID 2780 wrote to memory of 2460 2780 cmd.exe 33 PID 2780 wrote to memory of 2460 2780 cmd.exe 33 PID 2780 wrote to memory of 2460 2780 cmd.exe 33 PID 2460 wrote to memory of 2964 2460 DllCommonsvc.exe 92 PID 2460 wrote to memory of 2964 2460 DllCommonsvc.exe 92 PID 2460 wrote to memory of 2964 2460 DllCommonsvc.exe 92 PID 2460 wrote to memory of 2764 2460 DllCommonsvc.exe 93 PID 2460 wrote to memory of 2764 2460 DllCommonsvc.exe 93 PID 2460 wrote to memory of 2764 2460 DllCommonsvc.exe 93 PID 2460 wrote to memory of 2728 2460 DllCommonsvc.exe 95 PID 2460 wrote to memory of 2728 2460 DllCommonsvc.exe 95 PID 2460 wrote to memory of 2728 2460 DllCommonsvc.exe 95 PID 2460 wrote to memory of 2600 2460 DllCommonsvc.exe 96 PID 2460 wrote to memory of 2600 2460 DllCommonsvc.exe 96 PID 2460 wrote to memory of 2600 2460 DllCommonsvc.exe 96 PID 2460 wrote to memory of 2712 2460 DllCommonsvc.exe 97 PID 2460 wrote to memory of 2712 2460 DllCommonsvc.exe 97 PID 2460 wrote to memory of 2712 2460 DllCommonsvc.exe 97 PID 2460 wrote to memory of 2972 2460 DllCommonsvc.exe 100 PID 2460 wrote to memory of 2972 2460 DllCommonsvc.exe 100 PID 2460 wrote to memory of 2972 2460 DllCommonsvc.exe 100 PID 2460 wrote to memory of 2624 2460 DllCommonsvc.exe 101 PID 2460 wrote to memory of 2624 2460 DllCommonsvc.exe 101 PID 2460 wrote to memory of 2624 2460 DllCommonsvc.exe 101 PID 2460 wrote to memory of 2924 2460 DllCommonsvc.exe 103 PID 2460 wrote to memory of 2924 2460 DllCommonsvc.exe 103 PID 2460 wrote to memory of 2924 2460 DllCommonsvc.exe 103 PID 2460 wrote to memory of 2928 2460 DllCommonsvc.exe 104 PID 2460 wrote to memory of 2928 2460 DllCommonsvc.exe 104 PID 2460 wrote to memory of 2928 2460 DllCommonsvc.exe 104 PID 2460 wrote to memory of 2980 2460 DllCommonsvc.exe 105 PID 2460 wrote to memory of 2980 2460 DllCommonsvc.exe 105 PID 2460 wrote to memory of 2980 2460 DllCommonsvc.exe 105 PID 2460 wrote to memory of 2708 2460 DllCommonsvc.exe 106 PID 2460 wrote to memory of 2708 2460 DllCommonsvc.exe 106 PID 2460 wrote to memory of 2708 2460 DllCommonsvc.exe 106 PID 2460 wrote to memory of 2884 2460 DllCommonsvc.exe 107 PID 2460 wrote to memory of 2884 2460 DllCommonsvc.exe 107 PID 2460 wrote to memory of 2884 2460 DllCommonsvc.exe 107 PID 2460 wrote to memory of 2704 2460 DllCommonsvc.exe 109 PID 2460 wrote to memory of 2704 2460 DllCommonsvc.exe 109 PID 2460 wrote to memory of 2704 2460 DllCommonsvc.exe 109 PID 2460 wrote to memory of 2920 2460 DllCommonsvc.exe 111 PID 2460 wrote to memory of 2920 2460 DllCommonsvc.exe 111 PID 2460 wrote to memory of 2920 2460 DllCommonsvc.exe 111 PID 2460 wrote to memory of 2440 2460 DllCommonsvc.exe 112 PID 2460 wrote to memory of 2440 2460 DllCommonsvc.exe 112 PID 2460 wrote to memory of 2440 2460 DllCommonsvc.exe 112 PID 2460 wrote to memory of 2168 2460 DllCommonsvc.exe 113 PID 2460 wrote to memory of 2168 2460 DllCommonsvc.exe 113 PID 2460 wrote to memory of 2168 2460 DllCommonsvc.exe 113 PID 2460 wrote to memory of 2868 2460 DllCommonsvc.exe 114 PID 2460 wrote to memory of 2868 2460 DllCommonsvc.exe 114 PID 2460 wrote to memory of 2868 2460 DllCommonsvc.exe 114 PID 2460 wrote to memory of 2160 2460 DllCommonsvc.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a441acbc6938d558bb14dcd5564fcfb072e244212568fdd296e29360762d6f2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a441acbc6938d558bb14dcd5564fcfb072e244212568fdd296e29360762d6f2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\amd64\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"6⤵PID:2288
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1724
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"8⤵PID:1748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1624
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"10⤵PID:2460
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2504
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"12⤵PID:2800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2368
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"14⤵PID:1988
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2732
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"16⤵PID:2984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2636
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"18⤵PID:2988
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1400
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat"20⤵PID:3016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2576
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"22⤵PID:1308
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3032
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\ShellBrd\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\lib\amd64\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\amd64\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\lib\amd64\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Pictures\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Favorites\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Favorites\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Speech\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5042849e1307ad1d27604a2fb1fd4a14f
SHA1b9594dbe467cb6c17112beb71cbb67d161e76ee3
SHA2563de0656ccda2b8c4d428647097d3c6f967812b80ed888f80b3d0d4a633601dd6
SHA5120007ba05c4de2440821a144e233f240e42c7e36e57238a9b3081ec7b4b8ec9abc04773d264aad55a4e4d6c8b61fd7431edbb9975b12286a74bd1e92b3f2d4dfa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51e9915ed1f4f686caaf3f194a39c7794
SHA16f1782f258a3444a37096d34ced791158848fc4e
SHA256b3d2d6b16266cdd5c682a10c0a8beeb9038133ab86c9a9a9cbbf513958dce03d
SHA512a4f111e52e5a181bf7987671491d281ce3020c62893dc5336ff21929feea077106bfcda8dc7d0559a51cac367a9017cc6c9fe094291dc2e2c4364495e3993a2e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cfd45b337f7791688a5d9c87966d1f14
SHA104257b15eb0ebb21b994dac11b29aac2618a53f0
SHA256eb6349c0ff92cc98d5f89e3aae4866c99862836334ddafcbf4222ab67fb29b2a
SHA5128d466035bf53f4243fa55bb6871903acdbb6959b52b6b259e82db08d0115905fb5a76a3f637a6740d71131bc9418dddf5f3e6d98e285c94556386bf0533ae5b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ebb1991db2aa2097892e9918516004da
SHA10391d1aba78602db1ebdda2e89223628b3f31bef
SHA2568ae5916c34c7661330826c556f25a544997d9b50b85dc3bb8e78f84f83ac9083
SHA51269313fea0d833ad082ce074f2a2648bfeb053beba955b2bb5d61ff5ceeda3516518574e8b313c9e9a2a1ea9775bcc690b200e3017f8bea1665c544d9a11c2665
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d54a1dc145bc12890a58b09c8a1bd54
SHA17da9b2d96032fffa7474b0e6c4da0c099f037700
SHA2564a3344bbbd8143b00ac7bde3b1c45ad53946bba4a0aea94dd770e439a6aae87e
SHA5126a418742ab2269b6e8a4bb1ec72dc8cd414132feee90558ea055885220c6610592897ffc8760487841aa595358e1819955742089591b13d325882296dcd17942
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5588f94325dcf121e83f0aaa271f8d73b
SHA13ace4ead4808cfa232b19165ab05cc4303f350c4
SHA256f7eefc809d4857a0392f18abd51f9a80118a25f6059bfd60b2c8fdf5671dcc49
SHA512914ab5fe3a0bfa997c1b57991621af12b7948360147f888e255210bc6d00327207a39ddc09b1e02def9b0446c4322301aa076e912ddbf2210bdaf0a2d9933158
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58204f69c2fe9c61fecff7899a27bf911
SHA1667171e0569bfa618480ca0380950fa68f647ca5
SHA25674e899fdb95cd3576ff21670d39a6754c6178a666602b95ce524f8bfb6d6e770
SHA51242c692eb3834c0120b2b419e959b680dd16797f9421079cc0e4a807805a48d10cb50c6af3d1446fa83d110789f085af1031aa592596eccf59d7e11baed0642c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5290e30b680459d112fc2abecf4e13dfd
SHA17e92f5e2ba02afe79aa76672cbe5c47d8dec3f4b
SHA256a17a0a4d9cb9760037765c5ee19a05d24994e04182039fac3d20d8eb66db707f
SHA5120afae3f6d4049c356e83f52ff72d83eadb456eda20dee19ef3dbcf11cc87c0ca4833945eb7f914ba9ba608af981e7e30a8d17f9adcd078d9679384ba69c677e6
-
Filesize
192B
MD55f75ba8c84f26a76deb3d72e1a71dd7e
SHA1c02691e7cf90da645579b1eeaba2d15b33ecb1c1
SHA256da34809485996759135f5ce665454079a28de59a591d18de5d5bcc1b7d75cdf0
SHA512c7fdda90eed7a79ee5af23e203d56d194a84d38504aa520bd89396beffad8443a05f6a14976da269063c9a7f0be2f3e7eef4dd57a7877f1dd46caa9a80f0cb1f
-
Filesize
192B
MD546511a98dc62713c28a84f6f33d1463a
SHA189a6d9e11f63a293fd3fc24d72c0f5bf8612de2a
SHA2565197c85cba7c0f4408e140f4df6b5965ac15d94f4ae8a1ac4f727aa70d37b7cf
SHA5129776dded706da99dde05cc24365202e0152550d0599212bec11fc49986b65ba2da9182e39c83f2292a27e4f0dd44cc62f77cc7281a4da403db7ed9db09211a25
-
Filesize
192B
MD5b81fe5ac25b49a7d80a64dfe51a55b14
SHA17091473a97910af0273c4f66fcb725ef37ff3fd4
SHA25614ccb594c9d293bd03ab7cdff9227dcf17cf1ccd268bdea4b71f9aa35f893e14
SHA51279adc1e8930435dd37805ba94397a593bb8cccf02ce7bbc683b33238713907b7f3b6b806e99ab6d49d89098b8e19cb24a26066bf0d7865bf366b36aec56ca6ce
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
192B
MD5050bbe5ae7f96646dde1250c58131007
SHA1c26490098fb86043e69ba3dd5920d780e0c681fc
SHA2561eb6dcee6584df4d805e481efb5e033ff26c269d35d770b9d6861ae4915fef9a
SHA512dc456f6b2cf6d9ad56154d404bd68439c876af906a37140f433cf574719fa8b495608283ba53fcb3317c3d18745d0f8c9adbe769d0849965dbb0b15ffe55ebd3
-
Filesize
192B
MD553e2fa35744e966bf959e7d2e5f88a10
SHA13a1ba8a0900efefadc123c94674acf9c91de8bdf
SHA256c6f06849d26964c66a06595304d46325a07354f6a4c973971a269c3d2dcae2ac
SHA5127d7ec56fde547f5302f4b62a52c52aa1571c08b2b5311065b7dd8864c0ad30afbac55bb816c21a1fd80dd76c9aaa62bc5719ca94208214248e61f512a4876418
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
192B
MD5ffdaaa4bb120857eaebcab524589adcc
SHA102ef8bf83fc7344f96a6ce11e708a75dbd2b0f29
SHA256e7c3b6a76db7932ea4059d074cd09a0e16a3d220146676273bcf2f9c5490eca2
SHA5121162605054e382044b7680e992e25d6cf6e8e846b9a8f013dd80b527e1b67951a0a9b3bb9e1107fe1641c0480a7f7d3e8a9f472ff581f46f924851b08eac0e16
-
Filesize
192B
MD57362edfdffeca029b1f5bde58b3e7cff
SHA156a7abf1896a3de57c3fc4ec949c82f4607efdc7
SHA256604b35f642685d5cf3a4b412da8bbae368d343a31c4d26be991e7d2691f78fe7
SHA5128a7a683014844f895acfdc32eae14a051ee74a34370e5c5f383f83e4e4cc08d48b7f1473f5ab06c60c9d40fea0d2bbfbd9f02d800e58b33a34c43f44ef6a3145
-
Filesize
192B
MD5236f693cc524f66b62d0ac69d02955c0
SHA182a6efe2cd89091a0660486d2de24b0b5cb1543d
SHA2567e60629f2044e8af809136b7b7a13fc00ca7972b89c48c2b1ec85abadfea4286
SHA512edf3387457fe8521cff23e9dcf94599c6a505745175e785057fc6d669d93330bd0021bbfc0682ebf9d7f87da2fd7335bc36a31d8657c79fc418aa7a910fb97ef
-
Filesize
192B
MD5daee8edde521b11e5abae80b13cc9087
SHA1163bb5542ab7378c936b7b0a57de9fbbfcb94f94
SHA25677e853a09b4f885f015501fbc5fdfd4f11255a4db5f195101198f76f30185279
SHA512e7770f0662ddae2f4d6cbcac8656c585a8ccae1f529be33bf49a91931cc85509fc79f26a1559d4a1ce5f5a032a21bd77016329871e814b2b2129cc4e750c99d4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53e4fddcb958b107b07c384fb45efef2b
SHA1abacb3ed77417c81ecf0504f2e028ee51553a977
SHA25613c92b21e33c62b4d073974917ace98acbf472700bc56644b8cdada5a945bf66
SHA5126d2059b5ae31d16d77686f4a52b9efe43d391a08f1517e7f8e70eafbfb3e404874f4a5342a7824fc5f3ac135d7883ee9c12d08eec6f3f21386b696c678fec54c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478