Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 23:13
Behavioral task
behavioral1
Sample
JaffaCakes118_1c9786a37e3a012485258c30074590ae2aa7f8b1ed81186b34e0dfcd14d64c04.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1c9786a37e3a012485258c30074590ae2aa7f8b1ed81186b34e0dfcd14d64c04.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1c9786a37e3a012485258c30074590ae2aa7f8b1ed81186b34e0dfcd14d64c04.exe
-
Size
1.3MB
-
MD5
b687a0e41f98478dd186181afc47a853
-
SHA1
61c9ee73a2307e31550f5ff5b3fde0e0714cfb21
-
SHA256
1c9786a37e3a012485258c30074590ae2aa7f8b1ed81186b34e0dfcd14d64c04
-
SHA512
0120db3d566f463c50687e0a1fea47a4abf41986fb5e53a5cca2b4ea0c2a8585887c83b3e52254e11eee98437ae0fb66a7a4aa05a8b2fb8678b7e158faf0ce31
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 1308 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 1308 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000019242-12.dat dcrat behavioral1/memory/2492-13-0x0000000000B60000-0x0000000000C70000-memory.dmp dcrat behavioral1/memory/2432-161-0x0000000000DA0000-0x0000000000EB0000-memory.dmp dcrat behavioral1/memory/2848-398-0x00000000002E0000-0x00000000003F0000-memory.dmp dcrat behavioral1/memory/876-517-0x0000000000D50000-0x0000000000E60000-memory.dmp dcrat behavioral1/memory/2268-636-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2620 powershell.exe 1016 powershell.exe 2816 powershell.exe 2572 powershell.exe 292 powershell.exe 2500 powershell.exe 1012 powershell.exe 2140 powershell.exe 604 powershell.exe 2924 powershell.exe 2508 powershell.exe 584 powershell.exe 2932 powershell.exe 1696 powershell.exe 1588 powershell.exe 1672 powershell.exe 2840 powershell.exe 548 powershell.exe 2648 powershell.exe 1804 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2492 DllCommonsvc.exe 2432 DllCommonsvc.exe 1556 DllCommonsvc.exe 1980 DllCommonsvc.exe 1292 DllCommonsvc.exe 2848 DllCommonsvc.exe 296 DllCommonsvc.exe 876 DllCommonsvc.exe 2780 DllCommonsvc.exe 2268 DllCommonsvc.exe 1016 DllCommonsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2052 cmd.exe 2052 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 28 raw.githubusercontent.com 25 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 21 raw.githubusercontent.com 35 raw.githubusercontent.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\Setup\de-DE\explorer.exe DllCommonsvc.exe File created C:\Windows\SysWOW64\Setup\de-DE\7a0fd90576e088 DllCommonsvc.exe File created C:\Windows\SysWOW64\040C\System.exe DllCommonsvc.exe File created C:\Windows\SysWOW64\040C\27d1bcfc3c54e0 DllCommonsvc.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\7-Zip\audiodg.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Windows Media Player\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\lsass.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\de-DE\winlogon.exe DllCommonsvc.exe File created C:\Windows\de-DE\cc11b995f2a76d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c9786a37e3a012485258c30074590ae2aa7f8b1ed81186b34e0dfcd14d64c04.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1936 schtasks.exe 1624 schtasks.exe 1864 schtasks.exe 1800 schtasks.exe 1704 schtasks.exe 2112 schtasks.exe 1336 schtasks.exe 2024 schtasks.exe 2512 schtasks.exe 1760 schtasks.exe 1100 schtasks.exe 2816 schtasks.exe 2884 schtasks.exe 2960 schtasks.exe 2016 schtasks.exe 2940 schtasks.exe 1240 schtasks.exe 1276 schtasks.exe 1372 schtasks.exe 2076 schtasks.exe 1924 schtasks.exe 2444 schtasks.exe 2136 schtasks.exe 1828 schtasks.exe 2092 schtasks.exe 1044 schtasks.exe 1176 schtasks.exe 2808 schtasks.exe 1868 schtasks.exe 2896 schtasks.exe 2068 schtasks.exe 2440 schtasks.exe 1964 schtasks.exe 3036 schtasks.exe 2420 schtasks.exe 2820 schtasks.exe 2608 schtasks.exe 1440 schtasks.exe 1784 schtasks.exe 1468 schtasks.exe 2364 schtasks.exe 1952 schtasks.exe 1712 schtasks.exe 2784 schtasks.exe 2752 schtasks.exe 2632 schtasks.exe 1292 schtasks.exe 2796 schtasks.exe 1820 schtasks.exe 1572 schtasks.exe 2584 schtasks.exe 2852 schtasks.exe 2600 schtasks.exe 1908 schtasks.exe 3044 schtasks.exe 484 schtasks.exe 2260 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2492 DllCommonsvc.exe 2492 DllCommonsvc.exe 2492 DllCommonsvc.exe 2492 DllCommonsvc.exe 2492 DllCommonsvc.exe 2648 powershell.exe 584 powershell.exe 2572 powershell.exe 2500 powershell.exe 2924 powershell.exe 1672 powershell.exe 1588 powershell.exe 604 powershell.exe 2816 powershell.exe 292 powershell.exe 548 powershell.exe 2508 powershell.exe 2140 powershell.exe 2932 powershell.exe 1804 powershell.exe 1012 powershell.exe 1016 powershell.exe 2840 powershell.exe 2620 powershell.exe 1696 powershell.exe 2432 DllCommonsvc.exe 1556 DllCommonsvc.exe 1980 DllCommonsvc.exe 1292 DllCommonsvc.exe 2848 DllCommonsvc.exe 296 DllCommonsvc.exe 876 DllCommonsvc.exe 2780 DllCommonsvc.exe 2268 DllCommonsvc.exe 1016 DllCommonsvc.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2492 DllCommonsvc.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 584 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 604 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 292 powershell.exe Token: SeDebugPrivilege 548 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 2432 DllCommonsvc.exe Token: SeDebugPrivilege 1556 DllCommonsvc.exe Token: SeDebugPrivilege 1980 DllCommonsvc.exe Token: SeDebugPrivilege 1292 DllCommonsvc.exe Token: SeDebugPrivilege 2848 DllCommonsvc.exe Token: SeDebugPrivilege 296 DllCommonsvc.exe Token: SeDebugPrivilege 876 DllCommonsvc.exe Token: SeDebugPrivilege 2780 DllCommonsvc.exe Token: SeDebugPrivilege 2268 DllCommonsvc.exe Token: SeDebugPrivilege 1016 DllCommonsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2536 2092 JaffaCakes118_1c9786a37e3a012485258c30074590ae2aa7f8b1ed81186b34e0dfcd14d64c04.exe 28 PID 2092 wrote to memory of 2536 2092 JaffaCakes118_1c9786a37e3a012485258c30074590ae2aa7f8b1ed81186b34e0dfcd14d64c04.exe 28 PID 2092 wrote to memory of 2536 2092 JaffaCakes118_1c9786a37e3a012485258c30074590ae2aa7f8b1ed81186b34e0dfcd14d64c04.exe 28 PID 2092 wrote to memory of 2536 2092 JaffaCakes118_1c9786a37e3a012485258c30074590ae2aa7f8b1ed81186b34e0dfcd14d64c04.exe 28 PID 2536 wrote to memory of 2052 2536 WScript.exe 31 PID 2536 wrote to memory of 2052 2536 WScript.exe 31 PID 2536 wrote to memory of 2052 2536 WScript.exe 31 PID 2536 wrote to memory of 2052 2536 WScript.exe 31 PID 2052 wrote to memory of 2492 2052 cmd.exe 33 PID 2052 wrote to memory of 2492 2052 cmd.exe 33 PID 2052 wrote to memory of 2492 2052 cmd.exe 33 PID 2052 wrote to memory of 2492 2052 cmd.exe 33 PID 2492 wrote to memory of 2924 2492 DllCommonsvc.exe 92 PID 2492 wrote to memory of 2924 2492 DllCommonsvc.exe 92 PID 2492 wrote to memory of 2924 2492 DllCommonsvc.exe 92 PID 2492 wrote to memory of 2500 2492 DllCommonsvc.exe 93 PID 2492 wrote to memory of 2500 2492 DllCommonsvc.exe 93 PID 2492 wrote to memory of 2500 2492 DllCommonsvc.exe 93 PID 2492 wrote to memory of 2620 2492 DllCommonsvc.exe 94 PID 2492 wrote to memory of 2620 2492 DllCommonsvc.exe 94 PID 2492 wrote to memory of 2620 2492 DllCommonsvc.exe 94 PID 2492 wrote to memory of 1012 2492 DllCommonsvc.exe 95 PID 2492 wrote to memory of 1012 2492 DllCommonsvc.exe 95 PID 2492 wrote to memory of 1012 2492 DllCommonsvc.exe 95 PID 2492 wrote to memory of 2572 2492 DllCommonsvc.exe 96 PID 2492 wrote to memory of 2572 2492 DllCommonsvc.exe 96 PID 2492 wrote to memory of 2572 2492 DllCommonsvc.exe 96 PID 2492 wrote to memory of 2648 2492 DllCommonsvc.exe 98 PID 2492 wrote to memory of 2648 2492 DllCommonsvc.exe 98 PID 2492 wrote to memory of 2648 2492 DllCommonsvc.exe 98 PID 2492 wrote to memory of 2508 2492 DllCommonsvc.exe 99 PID 2492 wrote to memory of 2508 2492 DllCommonsvc.exe 99 PID 2492 wrote to memory of 2508 2492 DllCommonsvc.exe 99 PID 2492 wrote to memory of 2140 2492 DllCommonsvc.exe 101 PID 2492 wrote to memory of 2140 2492 DllCommonsvc.exe 101 PID 2492 wrote to memory of 2140 2492 DllCommonsvc.exe 101 PID 2492 wrote to memory of 2840 2492 DllCommonsvc.exe 102 PID 2492 wrote to memory of 2840 2492 DllCommonsvc.exe 102 PID 2492 wrote to memory of 2840 2492 DllCommonsvc.exe 102 PID 2492 wrote to memory of 604 2492 DllCommonsvc.exe 104 PID 2492 wrote to memory of 604 2492 DllCommonsvc.exe 104 PID 2492 wrote to memory of 604 2492 DllCommonsvc.exe 104 PID 2492 wrote to memory of 548 2492 DllCommonsvc.exe 105 PID 2492 wrote to memory of 548 2492 DllCommonsvc.exe 105 PID 2492 wrote to memory of 548 2492 DllCommonsvc.exe 105 PID 2492 wrote to memory of 292 2492 DllCommonsvc.exe 106 PID 2492 wrote to memory of 292 2492 DllCommonsvc.exe 106 PID 2492 wrote to memory of 292 2492 DllCommonsvc.exe 106 PID 2492 wrote to memory of 1804 2492 DllCommonsvc.exe 107 PID 2492 wrote to memory of 1804 2492 DllCommonsvc.exe 107 PID 2492 wrote to memory of 1804 2492 DllCommonsvc.exe 107 PID 2492 wrote to memory of 584 2492 DllCommonsvc.exe 108 PID 2492 wrote to memory of 584 2492 DllCommonsvc.exe 108 PID 2492 wrote to memory of 584 2492 DllCommonsvc.exe 108 PID 2492 wrote to memory of 1696 2492 DllCommonsvc.exe 109 PID 2492 wrote to memory of 1696 2492 DllCommonsvc.exe 109 PID 2492 wrote to memory of 1696 2492 DllCommonsvc.exe 109 PID 2492 wrote to memory of 1588 2492 DllCommonsvc.exe 110 PID 2492 wrote to memory of 1588 2492 DllCommonsvc.exe 110 PID 2492 wrote to memory of 1588 2492 DllCommonsvc.exe 110 PID 2492 wrote to memory of 1016 2492 DllCommonsvc.exe 111 PID 2492 wrote to memory of 1016 2492 DllCommonsvc.exe 111 PID 2492 wrote to memory of 1016 2492 DllCommonsvc.exe 111 PID 2492 wrote to memory of 1672 2492 DllCommonsvc.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c9786a37e3a012485258c30074590ae2aa7f8b1ed81186b34e0dfcd14d64c04.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c9786a37e3a012485258c30074590ae2aa7f8b1ed81186b34e0dfcd14d64c04.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\Setup\de-DE\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\040C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cndcnxpV4O.bat"5⤵PID:2752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2196
-
-
C:\Users\Public\DllCommonsvc.exe"C:\Users\Public\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat"7⤵PID:2068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2324
-
-
C:\Users\Public\DllCommonsvc.exe"C:\Users\Public\DllCommonsvc.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"9⤵PID:1988
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2764
-
-
C:\Users\Public\DllCommonsvc.exe"C:\Users\Public\DllCommonsvc.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"11⤵PID:2904
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2956
-
-
C:\Users\Public\DllCommonsvc.exe"C:\Users\Public\DllCommonsvc.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"13⤵PID:816
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2116
-
-
C:\Users\Public\DllCommonsvc.exe"C:\Users\Public\DllCommonsvc.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"15⤵PID:2564
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1172
-
-
C:\Users\Public\DllCommonsvc.exe"C:\Users\Public\DllCommonsvc.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"17⤵PID:340
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2752
-
-
C:\Users\Public\DllCommonsvc.exe"C:\Users\Public\DllCommonsvc.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"19⤵PID:2716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1176
-
-
C:\Users\Public\DllCommonsvc.exe"C:\Users\Public\DllCommonsvc.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"21⤵PID:768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1048
-
-
C:\Users\Public\DllCommonsvc.exe"C:\Users\Public\DllCommonsvc.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat"23⤵PID:2624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2408
-
-
C:\Users\Public\DllCommonsvc.exe"C:\Users\Public\DllCommonsvc.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat"25⤵PID:2900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\Setup\de-DE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SysWOW64\Setup\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\Setup\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\040C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SysWOW64\040C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\040C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\Public\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Public\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\7-Zip\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a2e521b7f0c85536c4693fb09492cb04
SHA1fcf92dcc758ecbbb346a1aaee6c4adb12c1509f1
SHA256eeba5ea398e1943c9b1f77ae02f15c03aa078d930283a2368d5d97edeac90692
SHA5121d19aafc04d2cd1071bfa2be285863ef4e0c8851b44607115a24bed057ec993743c4d4aa35c07b2dac2fdb31dc76f175245990e89a3f1d1c57a77310bf3cac87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e496f9dd508358db71b124d4ede12e64
SHA1c7f3ba65354540e43d2c8b51ec4f5a38bd165622
SHA256ca0648cada0b6d267c352314c91b553d276df65efd70bdd4508331c880f2042a
SHA5121f2fd7557a2b349aa58b50fde4697265e8dca35fd9fe498b5be9bd63f3b1a62b029c0289cf0e13a5d4bea6475ad2561f7b40f3a1509f320104d76ff47dc49564
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD572e6397d6546c5c9f32667b2a22053bf
SHA1d1e19fc22509c5c0d25e65868453b55392ea91a2
SHA2563f969586d147411dab61901c4e701765e67d4c9afbac99b0e3000d0c92d0dac3
SHA5127ad0fed4d290abb096a37ac88c3c849b41f0de3e6e9582129241ab2e20195466fc7a3cd019a14730947ae472e365d10e53df12fb8976c1b1a34ce2137d697ea3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57b8a420da49711f47273730fa23471bc
SHA163a776f633db99b1b3b83172cf560ffed2002143
SHA2561c3591b9bd008ec6a445eaa0e2a21335a2f2e2ded5aaf511453949785f515afe
SHA512ea631d80494fa156b8ca11cf0d108c88f5c664ab1bdfdb22866ef385d0c258d8f959c0d32c7e9ba123e1fb9bc1333edbffd8841115d7d37f9f9834e0a4cb60b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52b1f7cdb3a198daadd9ab326611e1f8f
SHA1876ceabb18947ca8cecf0a8c6beb8c35ac1da3de
SHA256753b284ebd58818e7eaf7d936c3ded352e3732b92bc3d8957f023741bc7123f7
SHA512bd52200093c28d680be7b1f4ee2d7f4344c24af3a2cf39aca38b7a960a52c5ab74dada5d63f67ec41ff4324ea03c8b42f21000960f3ba0a987bb2f0514e05c34
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ca6ca684eca2c562053dd2c313c8e68f
SHA148b649bc9b83b86a5da594e9cfc42b5d35f02066
SHA256d6649fa3a9357a74fc8b51bd4e6c8aab50c3cd2acf83b03b0793d739b1c55cdd
SHA5126ddde8a2fe59a0de8608b6675cff38bb773e1f33cf38d797e913cb2c81decdb1d7f2b15be66ab70c0cb5eb98935924e700910b8f95e7e09550ae3d38d29e5561
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD532798d0b942d365cebbe786c351d8723
SHA16759de0ca1c8fd55a0b00365509f7ac6cfd9f57b
SHA256e20bdac8116f3a9526342239fe808e4fc260d60c3aadf2e5fe7e3bd496a6e2f1
SHA5128dfff6932fdde87cbd1df1288d192386eeecf9f73036831bd384b66225428b0cb20eac6fd5ab8f9a3346b1adc43586856885120a38a528f4dd66d380264b8974
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52727da5b86a89e67be25ccfd6ad78689
SHA1410558bad41536f611c49c874c629f882b0b2cb9
SHA25676b6974e8055f261a2f0087e6919850112a30ed86462bbf28524d2eda50027f1
SHA512ee6524282a53bef17317a1df481205f255d4d6c3cd0c84ce476129c9ab03d1c7ec10271bbab32a5c9c93a4b2fce53f770dfe6cbf33ffe7addc41d1d9996093da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b5409bb0964f3beacb90bd296c92de5a
SHA10c080488accf8269a8c43370bba5794e3514f0e7
SHA256eb67e695a89024b5e34da2fe8ce5da04830ae27015cd24eb4d1e6f4fe3777382
SHA512335a7fd3d7e8c9d61f4a292d34b4eca02371b6715ce1677bb8f0587924e4858bf2b06add84bfd22cb68bf51862826da42449de0f3fdec3323ae56a25cc0cfe05
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
197B
MD517ce904923a1265cc9cc6dae4845aabe
SHA15c9b3af75dc49066350f662a943dd6a02aebf19a
SHA256dfa647d1142baf11fd62ce06a0694ec971e773e5ebd7052837c29fc80482cbe2
SHA5120d7bc637450922ce99fdc6e0715f2ebc7cd5bbd2b00e03919ac761fcecc3bbbe1bfea614745235ce1a55123a35172d7f741d35e63c449c11b561bffd799ce87c
-
Filesize
197B
MD55824fc4cbbc6f0ebe230b7eb0aa32051
SHA1ec8b3f271c4b6c9204201ea56b21003addd7e152
SHA2560efb1a1a4062d28a119279c403a9e54084210986fb9d532bb4ade60434c854c0
SHA5120d09bc53fda0a2df40e55335defff3ae9f29524dee2364b0ca30de9255501bbea8cafbfc69c61a940a74b9ad604746fde94c3fbfb3aecb3de47763ba7d33b533
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
197B
MD58aabf45c843faf5940037769cf04a915
SHA108b227b5ed8535bff915857eaba711bf02115dc1
SHA25692f127eb8ad7ca792200ca3dd91988bd08c3502bfc07535cbba04b946d54b67f
SHA5122b99ebfa9042c993286184db00f2b80640cf57e54339f8c135d911bb1b01e3cce6d54299d3d710000a87627bf35ffe6a3f299a2ee01802d14f84a2ffcc411bfe
-
Filesize
197B
MD5d38fef7a1a0680e78442e649d7455487
SHA1f2775d44d1b296bd42820dc0c0010606b80d9483
SHA256b2b89bd5c523ee4a4929eaa2d3da0508a0a9658d083655d7c696555009bf9c68
SHA512dbe583c5239daa3fa1220827203ec184f9bb986ecbae9af5f8e45a6c8528ecc4e5ba760fc2a548c42124137296bdf8655b08a76bcb386b0b1778d5c25220a11d
-
Filesize
197B
MD5c128c23efbea44a997785cc468d779e8
SHA10b60b99cff3ebb09e9ce64e4e80295fda5b224e6
SHA2560b32b8c5486bc3ebf0bbc57ca71b54886fc973d9d2ead9d6ccce2a4095cf7a6d
SHA5121f465c49acd380490d55a56ef4d96f8825ab333f964b06af9cc31b3f0402485b9d4c8be8df29733b1452dd4dc08ede4677c626b7457e1a1ae372678c1b1fbf0a
-
Filesize
197B
MD52cd4427d089f711d0203704a4fb8c29c
SHA1a956275a2bc900cc61ff8371973dd4d9d2c6ef79
SHA256b936f69d6c24d28ac8071ffc773331563839c4ae13340174196e6ae149eea5fc
SHA5124de73ab83198e0f4148139b8e0a114994270a5b9a0648ddf9411f121c3f96a92dc156c1ebe8ffc12cf01cb8b53275c89aa14a3d4bd08893f832d724bc47a04ef
-
Filesize
197B
MD5bd8854dc1564dcadac4c7f3ef3768109
SHA1a031a53a639f6a2a571c9536bbe9de4dfa258054
SHA256b3087405e0271aeb3e4ec29017599cd02d88c192fb964089ef115dfb13078884
SHA5121bc72a80a8e6d81439a1ba3918684d115b032e7eb47adbf6204fc88694a1328b32958cfb84fa953aaca8dd74dab2957c6471c662a94c36f0992e8a3e22910692
-
Filesize
197B
MD5e5d6379580d5c2f5cf437c94fc20033f
SHA13c7dfc73d4837174b502d921ef128f92f6dfc0d2
SHA256d68d522eee70cd5a24091400f24f904934d3f437f15cdc56891fd5f3f7cffd45
SHA512af940ea9ee134b69ae863b9ff5f5aec8cfc24085974b23552c385774e5aeef2760c2a25a9ba294f0781dd05b62859912d905120328ba952df36339d04f3849bd
-
Filesize
197B
MD5be96a8020dcacf6c092cc50fa21c1129
SHA134e686ed5fe005b7ab16a13f2b0488448fdb2ce1
SHA2569367e4d57cb370742ff3d3bae8fe099dec024b4030727ad6dabca4f673260453
SHA512a6365ac5a0947b0600152a90450817fc0ee7bda814180059b879120f6ea83fe8c99368dfa74c8a3ec06f093c23c942d54a0d8ef1f6005d93377dc02cc9817cc5
-
Filesize
197B
MD590d23a96699c9e8d8af7f1ef40d312f5
SHA17c3e34021f3b90607c6b66f66361905595c9f703
SHA2566d742414e83b003ad3f6b69d266e5d54ed7ba8d5adc17c6232cec7dc75b70077
SHA5125851c5aae406459a30b4775b308e32d94f65ed29b25a8cc1f51e0e7a04c7815534da7b8e2cec0fa754bf43f011db3038cde3443118b7daf36e0d41c36e57daa8
-
Filesize
197B
MD58cacc9b63717a1e93e3bee2efbb14715
SHA175fedb0ea16f499dbde785c775da4f6139748964
SHA2566b27a6bd9ed4ad0ff43f06096c4c073cb2734b68878c59f00c3b6c94eeaa29cc
SHA51201bf320bd7978702d9a1f46ab6abec837ace898929aea2750f8756b70f071687611b1579ba53928a1013c073645b4a8e749f62eaf5b8f45ad276d08e79eb9a91
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59b6820387d13e5f7bce34f9ed836deb0
SHA17b1b77ccedcb7d3e1fc69c013a1049813ab2136c
SHA256d7d5abd50075fa813f35d98e2c2906c326172d0d3e485eba4419b81a2244d10e
SHA512eb9644714c13998543701f6d50e45be718dea3bc91953199b279018ed7f40ef375e70a60eb041239ad105feee945b3cacca2659cb9fdd4f914cf9178e6a970cd
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478