Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:19
Behavioral task
behavioral1
Sample
JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe
-
Size
1.3MB
-
MD5
d85f6f525a9b82318104a50c1935466d
-
SHA1
fafbe296bedb77ff61a43d9ab8b5ff691ebc2d3d
-
SHA256
b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607
-
SHA512
269dcb3e522bdca3d8e52b07fe299aa4f13d2de8e9e174785b7a89e6c0c6a556e35bececae940776295d8e7d8086d5419dd1e13d3cdc5e469815861eea2c8a25
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 816 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 108 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 600 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000015e48-9.dat dcrat behavioral1/memory/2616-13-0x0000000000A60000-0x0000000000B70000-memory.dmp dcrat behavioral1/memory/3036-156-0x0000000000B70000-0x0000000000C80000-memory.dmp dcrat behavioral1/memory/1624-278-0x00000000011C0000-0x00000000012D0000-memory.dmp dcrat behavioral1/memory/1664-456-0x00000000012E0000-0x00000000013F0000-memory.dmp dcrat behavioral1/memory/2772-516-0x0000000000120000-0x0000000000230000-memory.dmp dcrat behavioral1/memory/2732-576-0x00000000011E0000-0x00000000012F0000-memory.dmp dcrat behavioral1/memory/2988-635-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/2724-692-0x0000000000E60000-0x0000000000F70000-memory.dmp dcrat behavioral1/memory/1348-749-0x0000000000FA0000-0x00000000010B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 35 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2944 powershell.exe 1992 powershell.exe 2968 powershell.exe 1504 powershell.exe 2132 powershell.exe 536 powershell.exe 1504 powershell.exe 2516 powershell.exe 2956 powershell.exe 2616 powershell.exe 2364 powershell.exe 2192 powershell.exe 1660 powershell.exe 884 powershell.exe 2324 powershell.exe 3056 powershell.exe 1972 powershell.exe 2560 powershell.exe 2412 powershell.exe 572 powershell.exe 912 powershell.exe 1076 powershell.exe 2664 powershell.exe 2000 powershell.exe 2600 powershell.exe 2928 powershell.exe 2296 powershell.exe 1808 powershell.exe 2636 powershell.exe 1088 powershell.exe 2832 powershell.exe 2136 powershell.exe 2448 powershell.exe 2808 powershell.exe 528 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2616 DllCommonsvc.exe 3036 DllCommonsvc.exe 1624 winlogon.exe 2672 winlogon.exe 2756 winlogon.exe 1664 winlogon.exe 2772 winlogon.exe 2732 winlogon.exe 2988 winlogon.exe 2724 winlogon.exe 1348 winlogon.exe 3000 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 2732 cmd.exe 2732 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 25 raw.githubusercontent.com 35 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com -
Drops file in Program Files directory 18 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\uninstall\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\Windows Media Player\fr-FR\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Uninstall Information\Idle.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\de-DE\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\explorer.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Uninstall Information\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\de-DE\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\fr-FR\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\uninstall\dwm.exe DllCommonsvc.exe -
Drops file in Windows directory 18 IoCs
description ioc Process File created C:\Windows\PLA\Templates\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\schemas\TSWorkSpace\cmd.exe DllCommonsvc.exe File created C:\Windows\PLA\Templates\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\Panther\UnattendGC\services.exe DllCommonsvc.exe File created C:\Windows\addins\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\ja-JP\lsm.exe DllCommonsvc.exe File created C:\Windows\Setup\dllhost.exe DllCommonsvc.exe File created C:\Windows\Vss\Writers\System\explorer.exe DllCommonsvc.exe File created C:\Windows\PLA\Reports\en-US\69ddcba757bf72 DllCommonsvc.exe File created C:\Windows\PLA\Templates\taskhost.exe DllCommonsvc.exe File created C:\Windows\Panther\UnattendGC\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Windows\PLA\Templates\csrss.exe DllCommonsvc.exe File created C:\Windows\addins\24dbde2999530e DllCommonsvc.exe File opened for modification C:\Windows\ja-JP\lsm.exe DllCommonsvc.exe File created C:\Windows\ja-JP\101b941d020240 DllCommonsvc.exe File created C:\Windows\PLA\Reports\en-US\smss.exe DllCommonsvc.exe File created C:\Windows\Setup\5940a34987c991 DllCommonsvc.exe File created C:\Windows\Vss\Writers\System\7a0fd90576e088 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3044 schtasks.exe 1884 schtasks.exe 572 schtasks.exe 2312 schtasks.exe 2916 schtasks.exe 2808 schtasks.exe 1992 schtasks.exe 1532 schtasks.exe 2932 schtasks.exe 2952 schtasks.exe 1348 schtasks.exe 1356 schtasks.exe 844 schtasks.exe 1836 schtasks.exe 2216 schtasks.exe 2744 schtasks.exe 2820 schtasks.exe 2476 schtasks.exe 1492 schtasks.exe 2768 schtasks.exe 2532 schtasks.exe 1152 schtasks.exe 2072 schtasks.exe 772 schtasks.exe 536 schtasks.exe 2908 schtasks.exe 2064 schtasks.exe 1624 schtasks.exe 2692 schtasks.exe 2876 schtasks.exe 1028 schtasks.exe 2368 schtasks.exe 2956 schtasks.exe 816 schtasks.exe 2436 schtasks.exe 2316 schtasks.exe 2532 schtasks.exe 2328 schtasks.exe 1356 schtasks.exe 912 schtasks.exe 2320 schtasks.exe 2172 schtasks.exe 1144 schtasks.exe 448 schtasks.exe 1192 schtasks.exe 1812 schtasks.exe 1528 schtasks.exe 2880 schtasks.exe 2404 schtasks.exe 1132 schtasks.exe 2316 schtasks.exe 576 schtasks.exe 2560 schtasks.exe 3048 schtasks.exe 2976 schtasks.exe 2208 schtasks.exe 2020 schtasks.exe 1792 schtasks.exe 768 schtasks.exe 2880 schtasks.exe 2268 schtasks.exe 292 schtasks.exe 2868 schtasks.exe 1948 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 2616 DllCommonsvc.exe 2664 powershell.exe 2136 powershell.exe 2324 powershell.exe 2832 powershell.exe 2000 powershell.exe 1972 powershell.exe 2636 powershell.exe 1808 powershell.exe 2296 powershell.exe 2560 powershell.exe 2928 powershell.exe 572 powershell.exe 536 powershell.exe 912 powershell.exe 1088 powershell.exe 2132 powershell.exe 3056 powershell.exe 1504 powershell.exe 2600 powershell.exe 3036 DllCommonsvc.exe 3036 DllCommonsvc.exe 3036 DllCommonsvc.exe 2956 powershell.exe 1504 powershell.exe 2808 powershell.exe 2968 powershell.exe 1992 powershell.exe 2364 powershell.exe 2412 powershell.exe 1076 powershell.exe 2944 powershell.exe 2616 powershell.exe 2516 powershell.exe 2192 powershell.exe 528 powershell.exe 2448 powershell.exe 1660 powershell.exe 884 powershell.exe 1624 winlogon.exe 2672 winlogon.exe 2756 winlogon.exe 1664 winlogon.exe 2772 winlogon.exe 2732 winlogon.exe 2988 winlogon.exe 2724 winlogon.exe 1348 winlogon.exe 3000 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 2616 DllCommonsvc.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 912 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 3036 DllCommonsvc.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 884 powershell.exe Token: SeDebugPrivilege 1624 winlogon.exe Token: SeDebugPrivilege 2672 winlogon.exe Token: SeDebugPrivilege 2756 winlogon.exe Token: SeDebugPrivilege 1664 winlogon.exe Token: SeDebugPrivilege 2772 winlogon.exe Token: SeDebugPrivilege 2732 winlogon.exe Token: SeDebugPrivilege 2988 winlogon.exe Token: SeDebugPrivilege 2724 winlogon.exe Token: SeDebugPrivilege 1348 winlogon.exe Token: SeDebugPrivilege 3000 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2832 2856 JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe 30 PID 2856 wrote to memory of 2832 2856 JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe 30 PID 2856 wrote to memory of 2832 2856 JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe 30 PID 2856 wrote to memory of 2832 2856 JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe 30 PID 2832 wrote to memory of 2732 2832 WScript.exe 31 PID 2832 wrote to memory of 2732 2832 WScript.exe 31 PID 2832 wrote to memory of 2732 2832 WScript.exe 31 PID 2832 wrote to memory of 2732 2832 WScript.exe 31 PID 2732 wrote to memory of 2616 2732 cmd.exe 33 PID 2732 wrote to memory of 2616 2732 cmd.exe 33 PID 2732 wrote to memory of 2616 2732 cmd.exe 33 PID 2732 wrote to memory of 2616 2732 cmd.exe 33 PID 2616 wrote to memory of 1808 2616 DllCommonsvc.exe 89 PID 2616 wrote to memory of 1808 2616 DllCommonsvc.exe 89 PID 2616 wrote to memory of 1808 2616 DllCommonsvc.exe 89 PID 2616 wrote to memory of 2832 2616 DllCommonsvc.exe 90 PID 2616 wrote to memory of 2832 2616 DllCommonsvc.exe 90 PID 2616 wrote to memory of 2832 2616 DllCommonsvc.exe 90 PID 2616 wrote to memory of 2636 2616 DllCommonsvc.exe 91 PID 2616 wrote to memory of 2636 2616 DllCommonsvc.exe 91 PID 2616 wrote to memory of 2636 2616 DllCommonsvc.exe 91 PID 2616 wrote to memory of 2324 2616 DllCommonsvc.exe 94 PID 2616 wrote to memory of 2324 2616 DllCommonsvc.exe 94 PID 2616 wrote to memory of 2324 2616 DllCommonsvc.exe 94 PID 2616 wrote to memory of 2000 2616 DllCommonsvc.exe 95 PID 2616 wrote to memory of 2000 2616 DllCommonsvc.exe 95 PID 2616 wrote to memory of 2000 2616 DllCommonsvc.exe 95 PID 2616 wrote to memory of 2664 2616 DllCommonsvc.exe 96 PID 2616 wrote to memory of 2664 2616 DllCommonsvc.exe 96 PID 2616 wrote to memory of 2664 2616 DllCommonsvc.exe 96 PID 2616 wrote to memory of 536 2616 DllCommonsvc.exe 97 PID 2616 wrote to memory of 536 2616 DllCommonsvc.exe 97 PID 2616 wrote to memory of 536 2616 DllCommonsvc.exe 97 PID 2616 wrote to memory of 1504 2616 DllCommonsvc.exe 98 PID 2616 wrote to memory of 1504 2616 DllCommonsvc.exe 98 PID 2616 wrote to memory of 1504 2616 DllCommonsvc.exe 98 PID 2616 wrote to memory of 1088 2616 DllCommonsvc.exe 99 PID 2616 wrote to memory of 1088 2616 DllCommonsvc.exe 99 PID 2616 wrote to memory of 1088 2616 DllCommonsvc.exe 99 PID 2616 wrote to memory of 2132 2616 DllCommonsvc.exe 103 PID 2616 wrote to memory of 2132 2616 DllCommonsvc.exe 103 PID 2616 wrote to memory of 2132 2616 DllCommonsvc.exe 103 PID 2616 wrote to memory of 2136 2616 DllCommonsvc.exe 104 PID 2616 wrote to memory of 2136 2616 DllCommonsvc.exe 104 PID 2616 wrote to memory of 2136 2616 DllCommonsvc.exe 104 PID 2616 wrote to memory of 2600 2616 DllCommonsvc.exe 105 PID 2616 wrote to memory of 2600 2616 DllCommonsvc.exe 105 PID 2616 wrote to memory of 2600 2616 DllCommonsvc.exe 105 PID 2616 wrote to memory of 3056 2616 DllCommonsvc.exe 106 PID 2616 wrote to memory of 3056 2616 DllCommonsvc.exe 106 PID 2616 wrote to memory of 3056 2616 DllCommonsvc.exe 106 PID 2616 wrote to memory of 1972 2616 DllCommonsvc.exe 107 PID 2616 wrote to memory of 1972 2616 DllCommonsvc.exe 107 PID 2616 wrote to memory of 1972 2616 DllCommonsvc.exe 107 PID 2616 wrote to memory of 572 2616 DllCommonsvc.exe 110 PID 2616 wrote to memory of 572 2616 DllCommonsvc.exe 110 PID 2616 wrote to memory of 572 2616 DllCommonsvc.exe 110 PID 2616 wrote to memory of 2928 2616 DllCommonsvc.exe 111 PID 2616 wrote to memory of 2928 2616 DllCommonsvc.exe 111 PID 2616 wrote to memory of 2928 2616 DllCommonsvc.exe 111 PID 2616 wrote to memory of 912 2616 DllCommonsvc.exe 114 PID 2616 wrote to memory of 912 2616 DllCommonsvc.exe 114 PID 2616 wrote to memory of 912 2616 DllCommonsvc.exe 114 PID 2616 wrote to memory of 2296 2616 DllCommonsvc.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b87080c7ac76bf20ac679f60a1d679cc6452dda8915718698e20136c2e24a607.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\en-US\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBc6fQQaMD.bat"5⤵PID:1652
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1072
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\taskhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\audiodg.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\services.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\services.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lXQCgw8tMr.bat"7⤵PID:2064
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2152
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"9⤵PID:1276
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:936
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"11⤵PID:2732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:528
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"13⤵PID:1752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2840
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat"15⤵PID:396
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1872
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"17⤵PID:1788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2284
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"19⤵PID:1660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2044
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"21⤵PID:984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2468
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat"23⤵PID:2404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:448
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"25⤵PID:2160
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2360
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"27⤵PID:108
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:1500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Setup\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\explorer.exe'" /f1⤵
- Process spawned unexpected child process
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'" /f1⤵
- Process spawned unexpected child process
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\System\explorer.exe'" /f1⤵
- Process spawned unexpected child process
PID:108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\System\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Reports\en-US\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\en-US\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Reports\en-US\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Templates\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Templates\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\audiodg.exe'" /f1⤵PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\audiodg.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\audiodg.exe'" /rl HIGHEST /f1⤵PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\UnattendGC\services.exe'" /f1⤵PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\UnattendGC\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Templates\csrss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\csrss.exe'" /rl HIGHEST /f1⤵PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Templates\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\WmiPrvSE.exe'" /f1⤵PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\addins\WmiPrvSE.exe'" /rl HIGHEST /f1⤵PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\WmiPrvSE.exe'" /rl HIGHEST /f1⤵PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'" /f1⤵PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'" /rl HIGHEST /f1⤵PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\dllhost.exe'" /f1⤵PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\services.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Favorites\services.exe'" /rl HIGHEST /f1⤵PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵PID:2308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD514523793d7f7739c7ba0457d321a5710
SHA1a89b65a805de2de084e25000fd851de604e7c94e
SHA256ee82e008ce2251f598b5962806649867fb3a8bf3f7225e7ef8f53861dc1edce0
SHA51261f9386916faddfa2e110af7ff445243f80e5a3601c3560686207e2101f668c0426ba9a7cd49317e9d89ea6faa00cabf53602ba7b8e84b47f7b575b012fc35d9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56241fb0282866520dbda95dc61b0fa72
SHA110a7157e0f3ffa8d041cf06d79e137bb74e4b707
SHA25613c77ec7b4d1cee1abc488f8d25924356b69ce53f8e09f50090a05057329d992
SHA512c0de89270449d3be87ef46d57b641cfda63c283122a8d3a6ca424f49b9e526a81750c7104872e8062e0dfc0dbfd2b32a406ea2fff3f83b0048b1310eb620f6a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c648b0baade018fdf8b89baf35b03928
SHA1c72e2cd9a77e658c6cab8f9e2fa5883cea75a880
SHA256032751438c0f67d7e0c837753c75a09e08bac853b574f8247cecf7b627885046
SHA512a28ef70fe3fa22fc808ccc0c06613c51a3401031f70fb0a2c705626a2d48fbbd2dea8850961fe711d454ad4f8a709679d8abca772be13edb714a34e650d4b49f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD561e9a48bd106d1129c1e17f821b68d60
SHA15ea25188162e80e0cb2d82a53c0656e2838d7d47
SHA256ae501c1ab0c129f4c704dbb8e1e7a40cd0fc0f9f44d1a137c3500278fb42a00f
SHA512c884a6fdec60a6f0a8768100423365104de6bf68392b77fd51f1cfe0b2da822f4e094da684a37670a117f725f0d6d530c7686fd98ac49a7633329bdc86c1b514
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5552566e26b1824ce362bb39ba2ee7eea
SHA114b15c89d30c8d57d4c3ae1842da73bcad5053b6
SHA2565885d90d4eb427fdc344370545da38c2a75a8f549add856a23606a6d03978919
SHA512cc794ce12a985b2e79dc26ff3501d7c64cc0be8072fcaa85e1ec4269015d6373e002d874c6ac3b8aecb34f79024af508c88f143d914f19bd778bf463c154cc04
-
Filesize
195B
MD55ec1ca0afcd829100aa92e89c7cf1098
SHA19da7b6796cd46fa7101f886c9eebdcbd47489bce
SHA25679f72cb484bd8490d66ab01235d6610f0703ce3e501a9c5a5bd4fe0fb2f795bd
SHA512cc738bd48fdd6131f265cab64eb781724be50bcd22612f977368704425f43c039f2d495aa62bcb4dcc2aa219caab41e31d2f54ee6862c9546a602ebaf418861b
-
Filesize
195B
MD5ac079f9b4103297c4744f860fb5f592c
SHA168a35f3a7c29360e9f9f1d1e25b3c189ab1f1b09
SHA2563e8e9a1e1ea0ad24843dee8f08439a77642af8b4544abc1e44a8a58f6b3965c4
SHA5127686b8609e86d56e2d9f8843fa6a23834b662172dac467089f8180196f199ea50872ffb8a649957d2bd86f1ae85cacffb45d49c53e8a552c48af21b85ef4032c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
199B
MD511a0c74ee5f35d6c4ce0ccad06a3ef6b
SHA1402bc1b6a2386d8367c7d72c36d1dc899c039d1e
SHA2562ca7f805462941279db7a24d99025d2f1d6cc4fb5be0e1620d66b8f4570acde9
SHA5123c8e40bb58ba6e839d605328e322a32feb2c3694980d9f0459c1acda57a98d6a6d31f836224d9675486e6ded0bada1fe5ab1ebe9d529e1a81c3be40a6e3286d4
-
Filesize
195B
MD570759115b9d696b389f7548273f571b3
SHA129d46a293a7c1aa1fad881cc21e4af68188b8f99
SHA2566d65bbe598bf255aa8da19e7e05aba84a1706a2d97770008fd2c25be79f3b7c1
SHA51255042cfd4dd40a61a8bc1d6859d96d9a1917d558e25b95641368ca87d2cca94d288f137be82b9f2275ea19dd9faf34d5c2559dc989a3a64020f19503d77f5ae1
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD5e3a13fa6dbc4911ac90b5655fedb44e4
SHA10d4a36090cb5746375452d316837d688d8d5186e
SHA25612d58b4b881900b832ee7d7c15f7ff66751da50b96d75191eeadd8bc80069e58
SHA5125415eb07790593e433610d111c1d7224c480b4ce142d1b0f2c8d84a406e40576fee101beceaa267b7d2885bf7637cde3f02accfde54171550d9927643c483eed
-
Filesize
195B
MD55e424d397d42917deb55396191c336ae
SHA188d019c91373adfc414c578a48cd324cd3879fb1
SHA256f2d23532281739e0599339ced7540e0ba03a5bf7144f289f3b3b07738affe9b7
SHA512e4f131fda50f87222640b4160f36f7c80b7cd63b1d719c0a8f1d8654c1181c12b9a57ec8f86d527de98f9acb553eb9fc20e1c0eda18895ca9f6726a04109ef92
-
Filesize
195B
MD5a5278facd66a052af81f48bdf4768271
SHA1d8776e2c28b4990a1140802ce93d9ad1079a77fb
SHA256c844b2131ece6309798972789a0400ddf8a34d29e4d58987adb5111908ba78e5
SHA512ca5a317af4dc8c28128e523fb1a65bddfd4562b6bb24bc6028087e183a26013525713ad1f65b4e478178bd4c78a8dd2a779628056fbd66fd201ca35aea0eec5b
-
Filesize
195B
MD5f814d224c08ab891115a7d6dd83a736c
SHA10048285d789b1385891c5758c4c49319bce8e4c0
SHA2564e94da8f5bd051202aed61aea840db1f1cf28425eedd321d91f165d4f4f58a89
SHA512d4a76ca181a51ec3a4e23fdff52af60c907cc02c1851e4354ec5f3df4960b7e959a4b6d2a7d7cbe76c7e3fa4f5f0e003dcd9043b663f6517fc020821e9d007a0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55ad2516808610d67a8b16db11987a6bf
SHA187d5756d7f2411208754b4aa673e20ee741c64b4
SHA256ffe8f4418a28b25d976955ffe933b33cbe636cd91dce102a3243323622cc5af8
SHA512a930347658bd4a485e8548867219a5c2cb9a217cefe2b9bfed79b6653adab9ee4e6688d7d847d1ead0243e0d391abeb74fcd30d84f0bd36ff90190835fba45cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD563812fab73c2ee2e4f34bad196a966c4
SHA116053abdc4c551e7f0c7213ba6703998ca634830
SHA25633a3d1cfbe3f8dabec69dc968c0572c3ac77235a84c982f3f9a86977bb6d4266
SHA512764f958ef61a934ee823aae01c5f4ccaddf13d709fc582fac21bb6f9486113cd8b18646c4af219aef45d12632211106fe1599659c69e3f8ed111d73efc2b915b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
742B
MD59068351875de586e0268fd72467148d9
SHA1a61fc211653cbf23c433eae99f417d5116114d91
SHA256a6a9f0b568da1db05731baf36e6263fd4f45486a1b06120b9fea6f2713f3b09c
SHA512e1f586c9aa5ce40eaae8e1781008c5c6d5b915400f07d4681ab507fbcc14aa323b706c6f89580da8c793a61d05b842cc7c206f79e6cf0fb36e9c29ab018c25df
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394