Analysis
-
max time kernel
143s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:43
Behavioral task
behavioral1
Sample
JaffaCakes118_f90f860388af1ae2c16fe96bb867f7865ffc69b1d8f15ecd6c290e1e27cdf2bb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f90f860388af1ae2c16fe96bb867f7865ffc69b1d8f15ecd6c290e1e27cdf2bb.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f90f860388af1ae2c16fe96bb867f7865ffc69b1d8f15ecd6c290e1e27cdf2bb.exe
-
Size
1.3MB
-
MD5
6e65a9d47e169820e505543778e973b7
-
SHA1
9df8e259f3b00d6c8b79f16e379470396083fc29
-
SHA256
f90f860388af1ae2c16fe96bb867f7865ffc69b1d8f15ecd6c290e1e27cdf2bb
-
SHA512
bdc7cea8d0d5726c529f2f00dd09a1f120a5f0c34574ad62dc71a76a651667c6bbc85c0a3341f67a6ec472edb2bc9cea42bb3102046e7a38e92df1272f05f92d
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 824 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 284 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2600 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000015e25-9.dat dcrat behavioral1/memory/2204-13-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/628-66-0x00000000001D0000-0x00000000002E0000-memory.dmp dcrat behavioral1/memory/2456-220-0x0000000000E20000-0x0000000000F30000-memory.dmp dcrat behavioral1/memory/2544-339-0x0000000001120000-0x0000000001230000-memory.dmp dcrat behavioral1/memory/2728-399-0x0000000001270000-0x0000000001380000-memory.dmp dcrat behavioral1/memory/2468-459-0x0000000000270000-0x0000000000380000-memory.dmp dcrat behavioral1/memory/3064-519-0x0000000000A20000-0x0000000000B30000-memory.dmp dcrat behavioral1/memory/2324-579-0x00000000013E0000-0x00000000014F0000-memory.dmp dcrat behavioral1/memory/1564-639-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat behavioral1/memory/772-699-0x0000000000A60000-0x0000000000B70000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2656 powershell.exe 2648 powershell.exe 1240 powershell.exe 1420 powershell.exe 2456 powershell.exe 1280 powershell.exe 2144 powershell.exe 1636 powershell.exe 2192 powershell.exe 2068 powershell.exe 1548 powershell.exe 2424 powershell.exe 2016 powershell.exe 2784 powershell.exe 1096 powershell.exe 112 powershell.exe 2848 powershell.exe 2920 powershell.exe 2728 powershell.exe 2696 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2204 DllCommonsvc.exe 628 explorer.exe 2456 explorer.exe 2840 explorer.exe 2544 explorer.exe 2728 explorer.exe 2468 explorer.exe 3064 explorer.exe 2324 explorer.exe 1564 explorer.exe 772 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 2196 cmd.exe 2196 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 29 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files\Windows Defender\en-US\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\en-US\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\lsass.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\6203df4a6bafc7 DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\addins\dllhost.exe DllCommonsvc.exe File created C:\Windows\addins\5940a34987c991 DllCommonsvc.exe File created C:\Windows\CSC\lsass.exe DllCommonsvc.exe File created C:\Windows\CSC\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\ShellNew\audiodg.exe DllCommonsvc.exe File created C:\Windows\ShellNew\42af1c969fbb7b DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f90f860388af1ae2c16fe96bb867f7865ffc69b1d8f15ecd6c290e1e27cdf2bb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2792 schtasks.exe 1264 schtasks.exe 1164 schtasks.exe 2264 schtasks.exe 2124 schtasks.exe 532 schtasks.exe 2236 schtasks.exe 864 schtasks.exe 1564 schtasks.exe 888 schtasks.exe 2644 schtasks.exe 2724 schtasks.exe 2028 schtasks.exe 2452 schtasks.exe 2916 schtasks.exe 892 schtasks.exe 2004 schtasks.exe 2508 schtasks.exe 2252 schtasks.exe 1772 schtasks.exe 2700 schtasks.exe 1312 schtasks.exe 1696 schtasks.exe 2472 schtasks.exe 740 schtasks.exe 1636 schtasks.exe 1248 schtasks.exe 3004 schtasks.exe 1804 schtasks.exe 2572 schtasks.exe 1112 schtasks.exe 2752 schtasks.exe 2092 schtasks.exe 2652 schtasks.exe 752 schtasks.exe 1540 schtasks.exe 2476 schtasks.exe 2068 schtasks.exe 2340 schtasks.exe 1620 schtasks.exe 1488 schtasks.exe 2280 schtasks.exe 3020 schtasks.exe 284 schtasks.exe 2384 schtasks.exe 2316 schtasks.exe 824 schtasks.exe 1888 schtasks.exe 1848 schtasks.exe 1692 schtasks.exe 2220 schtasks.exe 2128 schtasks.exe 3024 schtasks.exe 2180 schtasks.exe 2896 schtasks.exe 2684 schtasks.exe 1356 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2204 DllCommonsvc.exe 2204 DllCommonsvc.exe 2204 DllCommonsvc.exe 2016 powershell.exe 2728 powershell.exe 2424 powershell.exe 1548 powershell.exe 2656 powershell.exe 1240 powershell.exe 2696 powershell.exe 2648 powershell.exe 2144 powershell.exe 112 powershell.exe 2192 powershell.exe 1636 powershell.exe 2920 powershell.exe 2456 powershell.exe 2068 powershell.exe 628 explorer.exe 2784 powershell.exe 1280 powershell.exe 2848 powershell.exe 1420 powershell.exe 1096 powershell.exe 2456 explorer.exe 2840 explorer.exe 2544 explorer.exe 2728 explorer.exe 2468 explorer.exe 3064 explorer.exe 2324 explorer.exe 1564 explorer.exe 772 explorer.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2204 DllCommonsvc.exe Token: SeDebugPrivilege 2016 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 1240 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 628 explorer.exe Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 2456 explorer.exe Token: SeDebugPrivilege 2840 explorer.exe Token: SeDebugPrivilege 2544 explorer.exe Token: SeDebugPrivilege 2728 explorer.exe Token: SeDebugPrivilege 2468 explorer.exe Token: SeDebugPrivilege 3064 explorer.exe Token: SeDebugPrivilege 2324 explorer.exe Token: SeDebugPrivilege 1564 explorer.exe Token: SeDebugPrivilege 772 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2880 2312 JaffaCakes118_f90f860388af1ae2c16fe96bb867f7865ffc69b1d8f15ecd6c290e1e27cdf2bb.exe 30 PID 2312 wrote to memory of 2880 2312 JaffaCakes118_f90f860388af1ae2c16fe96bb867f7865ffc69b1d8f15ecd6c290e1e27cdf2bb.exe 30 PID 2312 wrote to memory of 2880 2312 JaffaCakes118_f90f860388af1ae2c16fe96bb867f7865ffc69b1d8f15ecd6c290e1e27cdf2bb.exe 30 PID 2312 wrote to memory of 2880 2312 JaffaCakes118_f90f860388af1ae2c16fe96bb867f7865ffc69b1d8f15ecd6c290e1e27cdf2bb.exe 30 PID 2880 wrote to memory of 2196 2880 WScript.exe 31 PID 2880 wrote to memory of 2196 2880 WScript.exe 31 PID 2880 wrote to memory of 2196 2880 WScript.exe 31 PID 2880 wrote to memory of 2196 2880 WScript.exe 31 PID 2196 wrote to memory of 2204 2196 cmd.exe 33 PID 2196 wrote to memory of 2204 2196 cmd.exe 33 PID 2196 wrote to memory of 2204 2196 cmd.exe 33 PID 2196 wrote to memory of 2204 2196 cmd.exe 33 PID 2204 wrote to memory of 2016 2204 DllCommonsvc.exe 92 PID 2204 wrote to memory of 2016 2204 DllCommonsvc.exe 92 PID 2204 wrote to memory of 2016 2204 DllCommonsvc.exe 92 PID 2204 wrote to memory of 2656 2204 DllCommonsvc.exe 93 PID 2204 wrote to memory of 2656 2204 DllCommonsvc.exe 93 PID 2204 wrote to memory of 2656 2204 DllCommonsvc.exe 93 PID 2204 wrote to memory of 2648 2204 DllCommonsvc.exe 94 PID 2204 wrote to memory of 2648 2204 DllCommonsvc.exe 94 PID 2204 wrote to memory of 2648 2204 DllCommonsvc.exe 94 PID 2204 wrote to memory of 1240 2204 DllCommonsvc.exe 96 PID 2204 wrote to memory of 1240 2204 DllCommonsvc.exe 96 PID 2204 wrote to memory of 1240 2204 DllCommonsvc.exe 96 PID 2204 wrote to memory of 2920 2204 DllCommonsvc.exe 98 PID 2204 wrote to memory of 2920 2204 DllCommonsvc.exe 98 PID 2204 wrote to memory of 2920 2204 DllCommonsvc.exe 98 PID 2204 wrote to memory of 2144 2204 DllCommonsvc.exe 100 PID 2204 wrote to memory of 2144 2204 DllCommonsvc.exe 100 PID 2204 wrote to memory of 2144 2204 DllCommonsvc.exe 100 PID 2204 wrote to memory of 2848 2204 DllCommonsvc.exe 101 PID 2204 wrote to memory of 2848 2204 DllCommonsvc.exe 101 PID 2204 wrote to memory of 2848 2204 DllCommonsvc.exe 101 PID 2204 wrote to memory of 1280 2204 DllCommonsvc.exe 103 PID 2204 wrote to memory of 1280 2204 DllCommonsvc.exe 103 PID 2204 wrote to memory of 1280 2204 DllCommonsvc.exe 103 PID 2204 wrote to memory of 2696 2204 DllCommonsvc.exe 104 PID 2204 wrote to memory of 2696 2204 DllCommonsvc.exe 104 PID 2204 wrote to memory of 2696 2204 DllCommonsvc.exe 104 PID 2204 wrote to memory of 2728 2204 DllCommonsvc.exe 106 PID 2204 wrote to memory of 2728 2204 DllCommonsvc.exe 106 PID 2204 wrote to memory of 2728 2204 DllCommonsvc.exe 106 PID 2204 wrote to memory of 112 2204 DllCommonsvc.exe 107 PID 2204 wrote to memory of 112 2204 DllCommonsvc.exe 107 PID 2204 wrote to memory of 112 2204 DllCommonsvc.exe 107 PID 2204 wrote to memory of 1420 2204 DllCommonsvc.exe 111 PID 2204 wrote to memory of 1420 2204 DllCommonsvc.exe 111 PID 2204 wrote to memory of 1420 2204 DllCommonsvc.exe 111 PID 2204 wrote to memory of 2424 2204 DllCommonsvc.exe 112 PID 2204 wrote to memory of 2424 2204 DllCommonsvc.exe 112 PID 2204 wrote to memory of 2424 2204 DllCommonsvc.exe 112 PID 2204 wrote to memory of 1548 2204 DllCommonsvc.exe 113 PID 2204 wrote to memory of 1548 2204 DllCommonsvc.exe 113 PID 2204 wrote to memory of 1548 2204 DllCommonsvc.exe 113 PID 2204 wrote to memory of 1096 2204 DllCommonsvc.exe 114 PID 2204 wrote to memory of 1096 2204 DllCommonsvc.exe 114 PID 2204 wrote to memory of 1096 2204 DllCommonsvc.exe 114 PID 2204 wrote to memory of 2456 2204 DllCommonsvc.exe 115 PID 2204 wrote to memory of 2456 2204 DllCommonsvc.exe 115 PID 2204 wrote to memory of 2456 2204 DllCommonsvc.exe 115 PID 2204 wrote to memory of 2068 2204 DllCommonsvc.exe 116 PID 2204 wrote to memory of 2068 2204 DllCommonsvc.exe 116 PID 2204 wrote to memory of 2068 2204 DllCommonsvc.exe 116 PID 2204 wrote to memory of 2192 2204 DllCommonsvc.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f90f860388af1ae2c16fe96bb867f7865ffc69b1d8f15ecd6c290e1e27cdf2bb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f90f860388af1ae2c16fe96bb867f7865ffc69b1d8f15ecd6c290e1e27cdf2bb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CSC\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"6⤵PID:2716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1696
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat"8⤵PID:356
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2284
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"10⤵PID:1632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2652
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat"12⤵PID:2196
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2896
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"14⤵PID:1124
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2428
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"16⤵PID:1420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2348
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat"18⤵PID:2944
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2112
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"20⤵PID:2720
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2312
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"22⤵PID:2632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2116
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Music\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Music\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\CSC\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\CSC\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\CSC\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellNew\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ShellNew\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\addins\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a1789223652ed86561d6aeaa6f8156bb
SHA1c5ee33f768eeec7d1ed036db483df3f8fe9a925c
SHA256523972aea2389627aabda5219854663f46a9ff40e22acfbfbe35b77f0f0247f9
SHA5120b08cf294f3d1526f7b3311479b2a02aa609e6d48c513a19df3aa2514621b227bbdc2fb2d4ebf4f0c3f9f3d3b051f2bcd0a545166502b8fe2323d17cd391c318
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54844fa4b748390ae512da315abefd6d0
SHA1641e9c1998f1e1dbad250d2a1df53102139e24fb
SHA2569dab24d4a887fb682b3e9ae380eeeedb83f229793f3bc76dbc6d8d5ab9d4df61
SHA5124f3649cd0b9201b35bda61281ab84c9097cfcd755e0833ea27093c8e607547ebd9deba6927e18482d9c5086e5a1deffe53c6c6a7affeaf6e22b5323d987a30a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a0c9c18724702b404791abbdc2a3f5c1
SHA163c8e04d6c82cc7a4f2bd29fdcba7c0a369626e9
SHA256c2177c5fffa97d94e3c6e05f9c3aca8f20e3caf53b497d8467c7898d9174d752
SHA512be6e2e76308a088c855be398e423de9acfbff5f15b82b0245f82a2240d3b844384515a3bcb50d2f9ec5453239f79cd7094a774e3ea8a3f3be9eddb0381bed33b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b867dfd4f3eaa05642471b6c81622afe
SHA19534ceef35a2b0791578e489a30ad36132a52a60
SHA256fba8a9c28c744a4d9239933b31d604ec38c3e1eaef6ee2b3ad116a27c4a60a0c
SHA5125e89cb1612880a23abe9b5c73b2fc905cee9a6dcc75d3cfb32e9dd2e9a65bc05cafc2d04d187225d3fc191553f5030aae74897f8c593278bbc7880c2ca931266
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53dea48930119c9302ba5bc6d1a65ef7f
SHA15195e922a4fa09d98835be0fcc04fe6553e21564
SHA2564d7b9b4a2b0ea340f8ac9274e7efb7cb369f6dbdd66d88cb9762405cc5e786b2
SHA512b32e9f15cd8c746ca69dab51879df47dc378cd2a0dc48034e0e6d0a1f2fa2667100caa4652178ea6ab238a1c7dfd0f2b414abe487fc51720c8b1850d4fb911a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53167d695d53e1da4294e1e793d55444e
SHA18f9b7296bbd2882db3ddb07784f0437d2b8d30fd
SHA2564338e8fa3c7f0ce6e18a51410cd692088a10c4f3a8669755926333b6aa93b24f
SHA5125afb21599b25791540fe20b9fef99d2ca4152fbbdf74c3912739820dc9833f868af484d7b8b21456510d7877c8edf1e7621a0cf384cddbbd396a25aa588d8e43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5988adfe95bff29fc18f03b0b486bedfc
SHA173912357099bcb9a6cce41781b628e9891f4350f
SHA256b46b4b6b0e78a2bf0201ae711d5eee02db0c18350450db65e9f361eb93e95a25
SHA5129ab624cc15b9dab9f3057e26a46fba32c82907a247fb76d42cfb0a6d59a07ac4902e3bff26395074dc394b0ca8a598113a90202cc107d7a749c3f11093c37d3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d5517b643f7be15c308b0fb7d1623cce
SHA1f185b336130ecf3764f1df25991c1274cb0ee06a
SHA2562f62a0be8e5e4de660865f4fb5a767b4ef90293ca755be56dff81eb2ccde1734
SHA51216b01ad39fb0dfc88e4b226658003eb0974d705445a26084bfe0c269a43039376cc0cc2ee745e0c0574183751cd02b5f85aff84c2cad9c835a66ce4b6e9d9da5
-
Filesize
226B
MD50ad4c82d3d80a8a08f9f209b7822c0c1
SHA1935c563e46e2dfc4e56fd8f6813464378a1c8ab2
SHA2562f5d6f9c968e9d5291cc44fdce904c9f10bd4530d74ddb1181e9ab41aab4f1a3
SHA5127ddc5955e4d4ec02d0dc76187bb4628e91b005304c760b269a91d1ac9ad8bb328feaa82e7b14288313744c71017e51c2476426efe9575487ce8cb9fc48ef3e03
-
Filesize
226B
MD50263e528d59c3cc6d7026592241493eb
SHA1bd117f15c299ae23962514fe793e8f1ab07fa65f
SHA256b32d544ad804fb7a21ca3ed321b2cb43efe736b7bf7dbb15e178bf51eb977463
SHA512d101194b9864c1c624d7dcb361eefb5134a80a42a6fba10da5bc12be2a18e92cd3311dd4563919c718869ab4b07bdbc57ce51b3ed98e6020416d32e724325e89
-
Filesize
226B
MD58a2dab78c22ceaff52c811ca69b44fac
SHA14f56f1ab19bd91020c3d8120f2accec1e73f90fe
SHA256490c344e2c5688056085f1dccb56ba681e4cad46a80dc05cae6fc67a72ec33d9
SHA5122ba036ef94a56dc5e1bc287316b009fa642ad3d39f2f90b566d0e1ef6405042544ce6481e25617eb1f358ea4432129ff1ee277df84c313dcce59ad0342e60572
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
226B
MD53ee2e619b40d830440a07c0bd28b4a06
SHA15771ba28bc7a22a861504f864a5069bbb3bac542
SHA25674d341b23d07ef22e3e6ce7dcf5119140a60b93b7f1b92599d7452e0943a6477
SHA512f479bbac20d3ef9e674013efdcec514df5910659552bebce79c6bee6d03ef55ae418a1ce830252c32816c47728d40a4b616d5b019aaa989bd2869267ac374b69
-
Filesize
226B
MD5798be9f9c2631951b1b0be5d65da6726
SHA1d176c9fb04a54240f20656e2d39b3499cca79410
SHA2564aa65b7ceaf1be5676de17f4ff29f5f0758f6e4a4e5e98271df313861ca5dca9
SHA5129c7ea02f6e67fb7c2816c4b9ec2e783062c943c6f1cf170c9c668b4fbbf8242e7f07964ef4c560270202ba09f48ad908f0a54ec5f8fc2bdc24630259824c702d
-
Filesize
226B
MD506ef8d82fd13cb3dcbb47970937ee47e
SHA152a6baddc3d6b88578aa13eaa5a16754280da475
SHA256625060ea916d832ce5bc90373d1820163989a50eb6b02e0686253ac82c57d00e
SHA512b19becd660b94f4803de908718daec7cb0ef47075b546661156a32b984f0dd930127a6ebef63d0821645460ccf13cfd180422ca1e331e8d5dd01d68158d2f493
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
226B
MD5687a759721f253a9f844930ec3ab8a78
SHA1c0d5aa95552eb70fc6c668e04210c7e6766a6823
SHA2563cf3e261e338a35a6ef45687c703661f8804024be478c5208943c856507e76be
SHA512e722aca4274bb2692c3fda9bb973296b999fe222f2d1d17e3d7cc267629ed6649893adb2fbd8a29cbe65d19ee571a3d30b3a116f62f1b50f03620d6ed301ae98
-
Filesize
226B
MD5db4e1b99aea8a744aed3f9e144a26038
SHA1101362222d03a48379bc62f466c37ca0f40e5aba
SHA25620476ca4bd68175ba8a8a6040a7c574fca2971a6461e23d82c178df63b946161
SHA5128270ac7ff0ba91132c5f4677395cd1f934651c9b4c91ed7126211e9e00a09c1ed9adc796be831f984776891046ad1adb227f3a30ff9823317280cdf8fafbade2
-
Filesize
226B
MD5b4618848ea1d893a1b67e9de85036e86
SHA1908556ffbdfc3cfddb097d326935e49a25669aa5
SHA2567268284603181ac222fe99f9ddaf6ae64222d770f7d990f406a757f80dc8a6ac
SHA51203b1c0c72c49791899a914405919f8a6ca151e6a5b98d366bc7905605d25ac4968365a236b8e89c937ea552a4a61eb91bbfaa36ca978165eebfd058d04c72d21
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD563be30fe608c1f371f9645daa000ab67
SHA1a82b347e0b9590e6e7ef357e363803629d2a4982
SHA256a3b36d863049cec6243b83174c9ad6c670c0757b3043c7c27c7bb3582bc4a1e6
SHA51296871b2c73e8d5c4c906b637a1fc02691b77940a0d3359f28c72ec7e898dd2abdca824589a5dfa94dc77491ae870ecd23fa4cff4ea2bd0ad051c6b4ab21f2f2e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394