Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 18:44
Behavioral task
behavioral1
Sample
JaffaCakes118_e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953.exe
-
Size
1.3MB
-
MD5
39fd0409d80bfee512ce370d464fe7a6
-
SHA1
c69afc0bfb0f595ed63fc93db2d51ffb0fb53244
-
SHA256
e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953
-
SHA512
b18e351ce75720ce5c3a7575cff068eb7069852dfd2ba309cb594e37f2f88da07b97cf2bb7c06f51266050f124004c3a0f9ef1df541a42e624592549f1be5af8
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 992 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 336 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2756 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2756 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016dd2-11.dat dcrat behavioral1/memory/780-13-0x0000000000C40000-0x0000000000D50000-memory.dmp dcrat behavioral1/memory/2420-164-0x0000000000D80000-0x0000000000E90000-memory.dmp dcrat behavioral1/memory/320-227-0x0000000001170000-0x0000000001280000-memory.dmp dcrat behavioral1/memory/2844-288-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/2360-348-0x0000000000180000-0x0000000000290000-memory.dmp dcrat behavioral1/memory/2776-408-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat behavioral1/memory/1640-468-0x0000000000130000-0x0000000000240000-memory.dmp dcrat behavioral1/memory/1112-529-0x0000000001200000-0x0000000001310000-memory.dmp dcrat behavioral1/memory/1760-648-0x0000000000CA0000-0x0000000000DB0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2692 powershell.exe 2396 powershell.exe 1684 powershell.exe 2688 powershell.exe 2792 powershell.exe 2652 powershell.exe 2032 powershell.exe 1496 powershell.exe 2584 powershell.exe 2728 powershell.exe 2444 powershell.exe 2940 powershell.exe 1524 powershell.exe 2664 powershell.exe 2640 powershell.exe 2632 powershell.exe 1028 powershell.exe 3004 powershell.exe 2008 powershell.exe 2908 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 780 DllCommonsvc.exe 2420 audiodg.exe 2292 audiodg.exe 320 audiodg.exe 2844 audiodg.exe 2360 audiodg.exe 2776 audiodg.exe 1640 audiodg.exe 1112 audiodg.exe 1940 audiodg.exe 1760 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2020 cmd.exe 2020 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 9 raw.githubusercontent.com 27 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\DVD Maker\ja-JP\explorer.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\lsm.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\ja-JP\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\DVD Maker\ja-JP\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\Windows Mail\es-ES\taskhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\es-ES\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files\Windows Journal\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Windows Defender\ja-JP\System.exe DllCommonsvc.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Panther\UnattendGC\winlogon.exe DllCommonsvc.exe File created C:\Windows\Panther\UnattendGC\cc11b995f2a76d DllCommonsvc.exe File created C:\Windows\ehome\fr-FR\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\ehome\fr-FR\24dbde2999530e DllCommonsvc.exe File created C:\Windows\winsxs\x86_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9bb11a054c9491fa\audiodg.exe DllCommonsvc.exe File created C:\Windows\twain_32\audiodg.exe DllCommonsvc.exe File opened for modification C:\Windows\twain_32\audiodg.exe DllCommonsvc.exe File created C:\Windows\twain_32\42af1c969fbb7b DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1244 schtasks.exe 2140 schtasks.exe 556 schtasks.exe 2128 schtasks.exe 2028 schtasks.exe 2656 schtasks.exe 1780 schtasks.exe 1720 schtasks.exe 2828 schtasks.exe 2036 schtasks.exe 1864 schtasks.exe 2612 schtasks.exe 2664 schtasks.exe 2004 schtasks.exe 2352 schtasks.exe 2684 schtasks.exe 2348 schtasks.exe 2512 schtasks.exe 2376 schtasks.exe 1900 schtasks.exe 1356 schtasks.exe 2356 schtasks.exe 1652 schtasks.exe 3048 schtasks.exe 1308 schtasks.exe 1968 schtasks.exe 1716 schtasks.exe 1616 schtasks.exe 2112 schtasks.exe 776 schtasks.exe 2644 schtasks.exe 2700 schtasks.exe 992 schtasks.exe 900 schtasks.exe 2040 schtasks.exe 1040 schtasks.exe 2888 schtasks.exe 1096 schtasks.exe 2420 schtasks.exe 1272 schtasks.exe 1512 schtasks.exe 1608 schtasks.exe 1732 schtasks.exe 1904 schtasks.exe 2952 schtasks.exe 2192 schtasks.exe 2796 schtasks.exe 2008 schtasks.exe 580 schtasks.exe 2200 schtasks.exe 380 schtasks.exe 2188 schtasks.exe 3056 schtasks.exe 2496 schtasks.exe 2224 schtasks.exe 1876 schtasks.exe 336 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 780 DllCommonsvc.exe 780 DllCommonsvc.exe 780 DllCommonsvc.exe 780 DllCommonsvc.exe 780 DllCommonsvc.exe 2632 powershell.exe 1524 powershell.exe 2640 powershell.exe 2940 powershell.exe 1028 powershell.exe 2728 powershell.exe 2908 powershell.exe 2652 powershell.exe 2792 powershell.exe 2688 powershell.exe 2396 powershell.exe 1684 powershell.exe 2584 powershell.exe 2664 powershell.exe 2444 powershell.exe 2692 powershell.exe 2032 powershell.exe 1496 powershell.exe 2008 powershell.exe 3004 powershell.exe 2420 audiodg.exe 320 audiodg.exe 2844 audiodg.exe 2360 audiodg.exe 2776 audiodg.exe 1640 audiodg.exe 1112 audiodg.exe 1940 audiodg.exe 1760 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 780 DllCommonsvc.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeDebugPrivilege 1496 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 2420 audiodg.exe Token: SeDebugPrivilege 320 audiodg.exe Token: SeDebugPrivilege 2844 audiodg.exe Token: SeDebugPrivilege 2360 audiodg.exe Token: SeDebugPrivilege 2776 audiodg.exe Token: SeDebugPrivilege 1640 audiodg.exe Token: SeDebugPrivilege 1112 audiodg.exe Token: SeDebugPrivilege 1940 audiodg.exe Token: SeDebugPrivilege 1760 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1632 wrote to memory of 2548 1632 JaffaCakes118_e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953.exe 30 PID 1632 wrote to memory of 2548 1632 JaffaCakes118_e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953.exe 30 PID 1632 wrote to memory of 2548 1632 JaffaCakes118_e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953.exe 30 PID 1632 wrote to memory of 2548 1632 JaffaCakes118_e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953.exe 30 PID 2548 wrote to memory of 2020 2548 WScript.exe 31 PID 2548 wrote to memory of 2020 2548 WScript.exe 31 PID 2548 wrote to memory of 2020 2548 WScript.exe 31 PID 2548 wrote to memory of 2020 2548 WScript.exe 31 PID 2020 wrote to memory of 780 2020 cmd.exe 33 PID 2020 wrote to memory of 780 2020 cmd.exe 33 PID 2020 wrote to memory of 780 2020 cmd.exe 33 PID 2020 wrote to memory of 780 2020 cmd.exe 33 PID 780 wrote to memory of 2792 780 DllCommonsvc.exe 93 PID 780 wrote to memory of 2792 780 DllCommonsvc.exe 93 PID 780 wrote to memory of 2792 780 DllCommonsvc.exe 93 PID 780 wrote to memory of 2908 780 DllCommonsvc.exe 94 PID 780 wrote to memory of 2908 780 DllCommonsvc.exe 94 PID 780 wrote to memory of 2908 780 DllCommonsvc.exe 94 PID 780 wrote to memory of 2640 780 DllCommonsvc.exe 95 PID 780 wrote to memory of 2640 780 DllCommonsvc.exe 95 PID 780 wrote to memory of 2640 780 DllCommonsvc.exe 95 PID 780 wrote to memory of 2692 780 DllCommonsvc.exe 96 PID 780 wrote to memory of 2692 780 DllCommonsvc.exe 96 PID 780 wrote to memory of 2692 780 DllCommonsvc.exe 96 PID 780 wrote to memory of 2584 780 DllCommonsvc.exe 97 PID 780 wrote to memory of 2584 780 DllCommonsvc.exe 97 PID 780 wrote to memory of 2584 780 DllCommonsvc.exe 97 PID 780 wrote to memory of 2396 780 DllCommonsvc.exe 98 PID 780 wrote to memory of 2396 780 DllCommonsvc.exe 98 PID 780 wrote to memory of 2396 780 DllCommonsvc.exe 98 PID 780 wrote to memory of 2632 780 DllCommonsvc.exe 99 PID 780 wrote to memory of 2632 780 DllCommonsvc.exe 99 PID 780 wrote to memory of 2632 780 DllCommonsvc.exe 99 PID 780 wrote to memory of 1684 780 DllCommonsvc.exe 100 PID 780 wrote to memory of 1684 780 DllCommonsvc.exe 100 PID 780 wrote to memory of 1684 780 DllCommonsvc.exe 100 PID 780 wrote to memory of 2652 780 DllCommonsvc.exe 101 PID 780 wrote to memory of 2652 780 DllCommonsvc.exe 101 PID 780 wrote to memory of 2652 780 DllCommonsvc.exe 101 PID 780 wrote to memory of 2664 780 DllCommonsvc.exe 102 PID 780 wrote to memory of 2664 780 DllCommonsvc.exe 102 PID 780 wrote to memory of 2664 780 DllCommonsvc.exe 102 PID 780 wrote to memory of 2032 780 DllCommonsvc.exe 103 PID 780 wrote to memory of 2032 780 DllCommonsvc.exe 103 PID 780 wrote to memory of 2032 780 DllCommonsvc.exe 103 PID 780 wrote to memory of 2728 780 DllCommonsvc.exe 104 PID 780 wrote to memory of 2728 780 DllCommonsvc.exe 104 PID 780 wrote to memory of 2728 780 DllCommonsvc.exe 104 PID 780 wrote to memory of 1028 780 DllCommonsvc.exe 105 PID 780 wrote to memory of 1028 780 DllCommonsvc.exe 105 PID 780 wrote to memory of 1028 780 DllCommonsvc.exe 105 PID 780 wrote to memory of 3004 780 DllCommonsvc.exe 106 PID 780 wrote to memory of 3004 780 DllCommonsvc.exe 106 PID 780 wrote to memory of 3004 780 DllCommonsvc.exe 106 PID 780 wrote to memory of 2444 780 DllCommonsvc.exe 107 PID 780 wrote to memory of 2444 780 DllCommonsvc.exe 107 PID 780 wrote to memory of 2444 780 DllCommonsvc.exe 107 PID 780 wrote to memory of 1496 780 DllCommonsvc.exe 108 PID 780 wrote to memory of 1496 780 DllCommonsvc.exe 108 PID 780 wrote to memory of 1496 780 DllCommonsvc.exe 108 PID 780 wrote to memory of 2940 780 DllCommonsvc.exe 109 PID 780 wrote to memory of 2940 780 DllCommonsvc.exe 109 PID 780 wrote to memory of 2940 780 DllCommonsvc.exe 109 PID 780 wrote to memory of 2688 780 DllCommonsvc.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8bfb03c2723402788ab77985603ae1581185b63c62605b3642db92181aa5953.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\fr-FR\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\otf5C6o01g.bat"5⤵PID:1788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1140
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"7⤵PID:2328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2772
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"8⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"9⤵PID:2776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2120
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"11⤵PID:2648
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2836
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"13⤵PID:2972
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:444
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"15⤵PID:1720
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2800
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVj8bjUD5N.bat"17⤵PID:3032
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2836
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"19⤵PID:2028
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1272
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"21⤵PID:1408
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:708
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"23⤵PID:2560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1628
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\twain_32\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\ja-JP\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\ja-JP\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\UnattendGC\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\UnattendGC\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\es-ES\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\ja-JP\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\ehome\fr-FR\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ehome\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\ehome\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57e2375616e2ae684bf96dc09b84c020d
SHA1d375f1b0a22aaa9127cbdbea6c3f3febb78db72c
SHA256471bc7a1cc886905c952128dd403b5fa606f98d6f1f919a0a4916ff2063bf384
SHA5120560a688d6047ccd7c85cc131662cee2ad4438cce406cf9e84c24cdbd2c01dec9ca7befe8eb410d28aa8c9daa268943e9c13fc4507d9bef866dd1fc4ba492af7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD538e282edd0de8ad0c56111782f965929
SHA1f8ce931842f3e7d34a8776a08fe7bc2479c8ad0e
SHA256e19d39f6c6fb9bb0d44931a07997c7f9f32eaeffa4fd0956576fe4c5c4fb03cb
SHA5127b5b014a27e5e2aef85814a638016bed086e02bd6b8d280fa8b7952848839241692b55a0d009789b9cb2869582305b4afb61fbad9f6bac823844caa515486a0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f855bd6df407f493e7a1287a1552e838
SHA12470ef5e7c4d277ef2c1dde0a60302abf2a916d5
SHA2566755d659bb6856ddb67cc9d5dffd6988cc1fd84b574fd12428422f36b218ece7
SHA512095121e6dc7f4000b1cdbb6c5c548e506eee37e7db163619ca84ecd41ebb73112644f490761bd2832031724ba8f8dae507f3db82dc0c4e9ae0341064bad15bc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c8e34afe8fae8f14eccf08c783cf8383
SHA18c5da323797d7029878549178acba4e324d60458
SHA2564cbac88d385bf7ead1dcba94077015b038a9d8c1c3b8b7f70e5d6ea9f1a8613a
SHA51209463bcf7fab5524c9be143c765d6e31df19fe92920620e366cc23525d5f9c604a0e4f8b6e4ad442beddaa148b222f50aa8dd1202668cc6598f80e93f32b4244
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55f2bd19fe58f9d846a81b00aaaa92cea
SHA14be2cc9282070b3287f9d79cd9143ab0bd6fc442
SHA256e6be8d29e1903e7cd794415249d4a176fd68f0d56a2bf275a5f0d591205d0dfe
SHA51273b26f2d036c3f6c738ad666916c97cea9e69f389e60e36c20cf79df200b5804d52aaab1d7f894ea076cb3637eacde1e1ff10e4e2738f3d05e795456f2265824
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD570f8854550d676da6cb6a0106fc64f6b
SHA1e43b1fb642c482cede6752274183b7db70dc4f7f
SHA256281f886112fd32e7c77abcff8a8d133dc5f95d9f2234d95118af730545be6b56
SHA512a8aa5d10575303b858fde8918622baadebde709a8ad104cbfa63c713baf57f75b08e81f1b50de67872396aeead1ccfb41d0adbcd8654561c41c695f6bdc553c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d97cfe7b4842335fe53e3ec4438caf8
SHA1642e27c2f148df058efb7bb9418dbb2d107814cd
SHA25634b424403a21ee3a02fcbb706a058a6b31ac203bdb8adf8e15fc46bbefd3ecda
SHA5125674358d2b10af94a754c975f5ec8404f9336daca77aa2183f8a32136e0a29c11959cfe40d7307979f5e9fd15c7acd4f0ae0c90fc89baeb0271b6297c1b7a0e1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD5bb9ecef042a2c77ead7801dbc5922dfe
SHA10f65bf4346a66591b18dbabf3f2e1814370cf52a
SHA25662e3d9497284cc6d25b42bbc65338fdab3da26d1d19b907ea09c3eb3bbfc32e8
SHA5128b29ae751c6603f2bde359675358938d640215c89b02ea269683f5170baf394fdcfdb5e74e8112086b3d7a27f2f6bec7002f35d2746bcb22b4d2eb9dbe8e9500
-
Filesize
225B
MD50b2e370c8e8b97048d6b19363f1ef3e6
SHA16198d400cf357d1ecae54fb325fe345a6fcabdf6
SHA256d56a647b7c91f537604f39faf83d2f8f69f53acc3f4005cb1e512372af69f2e6
SHA512d83a427b54f8c78d516e82d99e2e8f88fe42053cf8a5727c08fb4970ee5a0edd4a5a363aeb6ed242c87574f8010cf36f490da6451d4df85b037774b1e05a759b
-
Filesize
225B
MD5fef8269fd76d2451897f900a48efd6be
SHA192632e3970eff60ad056f32e5373e0f7447925df
SHA256247f0302b8cbbfb366d3d7f872537546a06f540114fb3432613404f10ee7cc57
SHA512f3f93cc28fc3e673a4aeb109701bc2f94ff8e0c70f5aa72fa95d03842239ec543d22a5bc803e11f9c5d659fdb1e1e8ec799e0f0510b24e94c0e4afb38f65d39c
-
Filesize
225B
MD55830903b5b8f8f86ac7f12a5a8dae1d7
SHA18f4c389e62bbc965327e187e6195564e3c01feb1
SHA256197bab1703991e806699099e20a53184cc9c471e6e291998807f412f1d8d6ade
SHA5124dfa7b61244e7c7a9f8a01fda9d3ff202acd4630f3bffb23829cf7533f5d12f102b4a20d69b230b793687e0841020eadf56c9a34be787d452e60b422d849007a
-
Filesize
225B
MD53757e75e1d6cd28b198177eac340480a
SHA19b1e1934a713b959748ee2027f45192094715fd6
SHA256f1f67ffe95bd20b25044c188da89ce9610397e9c074697f740f84e24a0cea2fd
SHA512dcb1d2eeeb947e3c1b9c96b7cda0c2d3bceb24f7c08635cce6061a3e71047b4e789fefca12642644d9d292ce97a939ef67e4274490f99e4b71b73086b407640b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD55ed711489c744478613e57527f4f1361
SHA180c9d42aacde1ca17314fbc5bcee92f56dce5dca
SHA2565833240ed4757924c7461a3633fc57ebc87c2c277fd2f6af795d8043e4bec3e4
SHA512867647a9592925229c6e133c852794575bef59b68804f4a1be2662209706dab069d95053dbc44b4b57b4234af0e6832e6e7ddc2e77b9cc10a5f92fa59221f269
-
Filesize
225B
MD5557bcd1919e2b9015458e346fc2f7858
SHA1afb77d15ddb0644c681b917c3a426e8f97bae118
SHA256bcc79bac00aeff50c46e4eba7cf5d364a8190fd028269f7d4c87fab042854637
SHA512d0c01fc0dee38f5be80be60a68feb341b13b1328cb4f4590b1d999fc01aafc0f670be4178a9416f8d9894288e75b70b49a81a6dcf5efb913888e76d0ec4ed0e5
-
Filesize
225B
MD5c7be5972678383d0941f337f2ffd8ea7
SHA1bd7c1b3d2f6b8d9849ba738de336110b9524e2b2
SHA256544935099e4bc19baae7c7922514ac9ca60cec3761f86ccb583cb93bd2c4e227
SHA5125e6da6abf29da1def96b17df3f4b41ded8dd3528317060349cb5b1f9f3b3735642ac375c4e56a69becdaf61b895b638194b342241f75082b6860b008c13b40d2
-
Filesize
225B
MD581bb8d68245190cb1ca36bd041308c9c
SHA1e3eaaaaace6a4993b32652b35af6ff1b3b768bfe
SHA256e27593017836f9fe3ef82771d05b904be17a5f5524b94c31692cbb0be3aaf667
SHA51252306d2e46700e56d7799e3de1bcb14c0917581829567623d32d9a5776ff6c0864b3c7371fa69b48e65b4f87e43ba762ba5246f1be00c701e118adbfbe052cec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5276daca5b52119a1632eecb9c7c4bdf5
SHA14d4fadefea8d57c0df64340fda0c341abe038551
SHA2562ec02057ffd40e1ac15361818f3cf392ddb9842f47b0d59f965e5fd302af22b5
SHA512a37fe563a9a9e6057222dbb5a572358eb94fce974d2cfced326fcfe14488a1ec9e5cba00584b0a09471c5c775e0eb2347385c669134897e0464c2ab363343dca
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394