Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:18
Behavioral task
behavioral1
Sample
JaffaCakes118_eb00a4c743bb349a57c2e5b41eff5db3e8c47ae0597bf78dfc540eebeabadb5a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_eb00a4c743bb349a57c2e5b41eff5db3e8c47ae0597bf78dfc540eebeabadb5a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_eb00a4c743bb349a57c2e5b41eff5db3e8c47ae0597bf78dfc540eebeabadb5a.exe
-
Size
1.3MB
-
MD5
d94357521343f7be5233adf59d739b35
-
SHA1
cc5ac40c4de85399ea5ef6362ac6aa9f3a661530
-
SHA256
eb00a4c743bb349a57c2e5b41eff5db3e8c47ae0597bf78dfc540eebeabadb5a
-
SHA512
2d1f864d2b3633f98351d24c2cd02a614074848f308b7fa4adf11ded25ad7f59a29cacf242215fedadb479453daa8be6b393f8badecc8e11264b06ba4773091c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 296 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 3004 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 3004 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000016c7b-12.dat dcrat behavioral1/memory/2720-13-0x0000000000910000-0x0000000000A20000-memory.dmp dcrat behavioral1/memory/2828-71-0x0000000000040000-0x0000000000150000-memory.dmp dcrat behavioral1/memory/1620-222-0x0000000000360000-0x0000000000470000-memory.dmp dcrat behavioral1/memory/1140-283-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/1984-344-0x00000000000A0000-0x00000000001B0000-memory.dmp dcrat behavioral1/memory/2080-404-0x0000000000E60000-0x0000000000F70000-memory.dmp dcrat behavioral1/memory/2144-524-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/1748-584-0x0000000000BF0000-0x0000000000D00000-memory.dmp dcrat behavioral1/memory/1376-644-0x0000000001290000-0x00000000013A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2764 powershell.exe 112 powershell.exe 1340 powershell.exe 1148 powershell.exe 1096 powershell.exe 2972 powershell.exe 2388 powershell.exe 1284 powershell.exe 1620 powershell.exe 2360 powershell.exe 1352 powershell.exe 344 powershell.exe 1632 powershell.exe 2768 powershell.exe 2736 powershell.exe 1328 powershell.exe 1684 powershell.exe 1736 powershell.exe 892 powershell.exe 2772 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2720 DllCommonsvc.exe 2828 explorer.exe 1620 explorer.exe 1140 explorer.exe 1984 explorer.exe 2080 explorer.exe 2224 explorer.exe 2144 explorer.exe 1748 explorer.exe 1376 explorer.exe 2108 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 2584 cmd.exe 2584 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 31 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 24 raw.githubusercontent.com 34 raw.githubusercontent.com 38 raw.githubusercontent.com 27 raw.githubusercontent.com -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\images\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\Windows Journal\ja-JP\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\ja-JP\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\System\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\System\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Internet Explorer\images\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\DllCommonsvc.exe DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Performance\WinSAT\DataStore\7a0fd90576e088 DllCommonsvc.exe File created C:\Windows\Panther\winlogon.exe DllCommonsvc.exe File created C:\Windows\Panther\cc11b995f2a76d DllCommonsvc.exe File created C:\Windows\DigitalLocker\ja-JP\wininit.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\ja-JP\56085415360792 DllCommonsvc.exe File created C:\Windows\Performance\WinSAT\DataStore\explorer.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_eb00a4c743bb349a57c2e5b41eff5db3e8c47ae0597bf78dfc540eebeabadb5a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1984 schtasks.exe 1692 schtasks.exe 1880 schtasks.exe 296 schtasks.exe 2312 schtasks.exe 1600 schtasks.exe 2280 schtasks.exe 1872 schtasks.exe 1212 schtasks.exe 1956 schtasks.exe 3024 schtasks.exe 1588 schtasks.exe 1868 schtasks.exe 1496 schtasks.exe 1340 schtasks.exe 1048 schtasks.exe 928 schtasks.exe 2448 schtasks.exe 2612 schtasks.exe 1632 schtasks.exe 1636 schtasks.exe 264 schtasks.exe 980 schtasks.exe 1096 schtasks.exe 1232 schtasks.exe 1540 schtasks.exe 2308 schtasks.exe 2600 schtasks.exe 1940 schtasks.exe 2992 schtasks.exe 2244 schtasks.exe 1256 schtasks.exe 760 schtasks.exe 1716 schtasks.exe 3032 schtasks.exe 1824 schtasks.exe 2800 schtasks.exe 1668 schtasks.exe 2852 schtasks.exe 2636 schtasks.exe 2072 schtasks.exe 776 schtasks.exe 2368 schtasks.exe 1000 schtasks.exe 2860 schtasks.exe 1856 schtasks.exe 608 schtasks.exe 2920 schtasks.exe 1616 schtasks.exe 3012 schtasks.exe 2924 schtasks.exe 2124 schtasks.exe 2940 schtasks.exe 1860 schtasks.exe 1404 schtasks.exe 2432 schtasks.exe 1892 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2720 DllCommonsvc.exe 2720 DllCommonsvc.exe 2720 DllCommonsvc.exe 1620 powershell.exe 2768 powershell.exe 1736 powershell.exe 1632 powershell.exe 1352 powershell.exe 1284 powershell.exe 2360 powershell.exe 2972 powershell.exe 344 powershell.exe 892 powershell.exe 1148 powershell.exe 2736 powershell.exe 112 powershell.exe 1096 powershell.exe 1340 powershell.exe 2828 explorer.exe 1328 powershell.exe 2388 powershell.exe 2764 powershell.exe 1684 powershell.exe 2772 powershell.exe 1620 explorer.exe 1140 explorer.exe 1984 explorer.exe 2080 explorer.exe 2224 explorer.exe 2144 explorer.exe 1748 explorer.exe 1376 explorer.exe 2108 explorer.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2720 DllCommonsvc.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 2828 explorer.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 344 powershell.exe Token: SeDebugPrivilege 892 powershell.exe Token: SeDebugPrivilege 1148 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 1620 explorer.exe Token: SeDebugPrivilege 1140 explorer.exe Token: SeDebugPrivilege 1984 explorer.exe Token: SeDebugPrivilege 2080 explorer.exe Token: SeDebugPrivilege 2224 explorer.exe Token: SeDebugPrivilege 2144 explorer.exe Token: SeDebugPrivilege 1748 explorer.exe Token: SeDebugPrivilege 1376 explorer.exe Token: SeDebugPrivilege 2108 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2788 wrote to memory of 2876 2788 JaffaCakes118_eb00a4c743bb349a57c2e5b41eff5db3e8c47ae0597bf78dfc540eebeabadb5a.exe 31 PID 2788 wrote to memory of 2876 2788 JaffaCakes118_eb00a4c743bb349a57c2e5b41eff5db3e8c47ae0597bf78dfc540eebeabadb5a.exe 31 PID 2788 wrote to memory of 2876 2788 JaffaCakes118_eb00a4c743bb349a57c2e5b41eff5db3e8c47ae0597bf78dfc540eebeabadb5a.exe 31 PID 2788 wrote to memory of 2876 2788 JaffaCakes118_eb00a4c743bb349a57c2e5b41eff5db3e8c47ae0597bf78dfc540eebeabadb5a.exe 31 PID 2876 wrote to memory of 2584 2876 WScript.exe 32 PID 2876 wrote to memory of 2584 2876 WScript.exe 32 PID 2876 wrote to memory of 2584 2876 WScript.exe 32 PID 2876 wrote to memory of 2584 2876 WScript.exe 32 PID 2584 wrote to memory of 2720 2584 cmd.exe 34 PID 2584 wrote to memory of 2720 2584 cmd.exe 34 PID 2584 wrote to memory of 2720 2584 cmd.exe 34 PID 2584 wrote to memory of 2720 2584 cmd.exe 34 PID 2720 wrote to memory of 2764 2720 DllCommonsvc.exe 93 PID 2720 wrote to memory of 2764 2720 DllCommonsvc.exe 93 PID 2720 wrote to memory of 2764 2720 DllCommonsvc.exe 93 PID 2720 wrote to memory of 2768 2720 DllCommonsvc.exe 94 PID 2720 wrote to memory of 2768 2720 DllCommonsvc.exe 94 PID 2720 wrote to memory of 2768 2720 DllCommonsvc.exe 94 PID 2720 wrote to memory of 2736 2720 DllCommonsvc.exe 95 PID 2720 wrote to memory of 2736 2720 DllCommonsvc.exe 95 PID 2720 wrote to memory of 2736 2720 DllCommonsvc.exe 95 PID 2720 wrote to memory of 2972 2720 DllCommonsvc.exe 96 PID 2720 wrote to memory of 2972 2720 DllCommonsvc.exe 96 PID 2720 wrote to memory of 2972 2720 DllCommonsvc.exe 96 PID 2720 wrote to memory of 2388 2720 DllCommonsvc.exe 97 PID 2720 wrote to memory of 2388 2720 DllCommonsvc.exe 97 PID 2720 wrote to memory of 2388 2720 DllCommonsvc.exe 97 PID 2720 wrote to memory of 1284 2720 DllCommonsvc.exe 98 PID 2720 wrote to memory of 1284 2720 DllCommonsvc.exe 98 PID 2720 wrote to memory of 1284 2720 DllCommonsvc.exe 98 PID 2720 wrote to memory of 1328 2720 DllCommonsvc.exe 99 PID 2720 wrote to memory of 1328 2720 DllCommonsvc.exe 99 PID 2720 wrote to memory of 1328 2720 DllCommonsvc.exe 99 PID 2720 wrote to memory of 1352 2720 DllCommonsvc.exe 100 PID 2720 wrote to memory of 1352 2720 DllCommonsvc.exe 100 PID 2720 wrote to memory of 1352 2720 DllCommonsvc.exe 100 PID 2720 wrote to memory of 1684 2720 DllCommonsvc.exe 101 PID 2720 wrote to memory of 1684 2720 DllCommonsvc.exe 101 PID 2720 wrote to memory of 1684 2720 DllCommonsvc.exe 101 PID 2720 wrote to memory of 112 2720 DllCommonsvc.exe 102 PID 2720 wrote to memory of 112 2720 DllCommonsvc.exe 102 PID 2720 wrote to memory of 112 2720 DllCommonsvc.exe 102 PID 2720 wrote to memory of 344 2720 DllCommonsvc.exe 103 PID 2720 wrote to memory of 344 2720 DllCommonsvc.exe 103 PID 2720 wrote to memory of 344 2720 DllCommonsvc.exe 103 PID 2720 wrote to memory of 1736 2720 DllCommonsvc.exe 104 PID 2720 wrote to memory of 1736 2720 DllCommonsvc.exe 104 PID 2720 wrote to memory of 1736 2720 DllCommonsvc.exe 104 PID 2720 wrote to memory of 892 2720 DllCommonsvc.exe 105 PID 2720 wrote to memory of 892 2720 DllCommonsvc.exe 105 PID 2720 wrote to memory of 892 2720 DllCommonsvc.exe 105 PID 2720 wrote to memory of 1340 2720 DllCommonsvc.exe 106 PID 2720 wrote to memory of 1340 2720 DllCommonsvc.exe 106 PID 2720 wrote to memory of 1340 2720 DllCommonsvc.exe 106 PID 2720 wrote to memory of 1632 2720 DllCommonsvc.exe 108 PID 2720 wrote to memory of 1632 2720 DllCommonsvc.exe 108 PID 2720 wrote to memory of 1632 2720 DllCommonsvc.exe 108 PID 2720 wrote to memory of 1148 2720 DllCommonsvc.exe 109 PID 2720 wrote to memory of 1148 2720 DllCommonsvc.exe 109 PID 2720 wrote to memory of 1148 2720 DllCommonsvc.exe 109 PID 2720 wrote to memory of 2772 2720 DllCommonsvc.exe 110 PID 2720 wrote to memory of 2772 2720 DllCommonsvc.exe 110 PID 2720 wrote to memory of 2772 2720 DllCommonsvc.exe 110 PID 2720 wrote to memory of 1096 2720 DllCommonsvc.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb00a4c743bb349a57c2e5b41eff5db3e8c47ae0597bf78dfc540eebeabadb5a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb00a4c743bb349a57c2e5b41eff5db3e8c47ae0597bf78dfc540eebeabadb5a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\ja-JP\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Links\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\Performance\WinSAT\DataStore\explorer.exe"C:\Windows\Performance\WinSAT\DataStore\explorer.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"6⤵PID:1708
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1880
-
-
C:\Windows\Performance\WinSAT\DataStore\explorer.exe"C:\Windows\Performance\WinSAT\DataStore\explorer.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat"8⤵PID:2896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2516
-
-
C:\Windows\Performance\WinSAT\DataStore\explorer.exe"C:\Windows\Performance\WinSAT\DataStore\explorer.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat"10⤵PID:2784
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1124
-
-
C:\Windows\Performance\WinSAT\DataStore\explorer.exe"C:\Windows\Performance\WinSAT\DataStore\explorer.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"12⤵PID:2340
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1148
-
-
C:\Windows\Performance\WinSAT\DataStore\explorer.exe"C:\Windows\Performance\WinSAT\DataStore\explorer.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"14⤵PID:2896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2248
-
-
C:\Windows\Performance\WinSAT\DataStore\explorer.exe"C:\Windows\Performance\WinSAT\DataStore\explorer.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat"16⤵PID:1232
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2788
-
-
C:\Windows\Performance\WinSAT\DataStore\explorer.exe"C:\Windows\Performance\WinSAT\DataStore\explorer.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"18⤵PID:2688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2796
-
-
C:\Windows\Performance\WinSAT\DataStore\explorer.exe"C:\Windows\Performance\WinSAT\DataStore\explorer.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"20⤵PID:2644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2196
-
-
C:\Windows\Performance\WinSAT\DataStore\explorer.exe"C:\Windows\Performance\WinSAT\DataStore\explorer.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"22⤵PID:340
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1772
-
-
C:\Windows\Performance\WinSAT\DataStore\explorer.exe"C:\Windows\Performance\WinSAT\DataStore\explorer.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat"24⤵PID:2832
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Panther\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\ja-JP\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Favorites\Links\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Favorites\Links\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c113c81005186c979ccc25f3256a0125
SHA161f8024e5a33fb70ecee05797f5d2753f1c10cd8
SHA256c2df69e912c918026de0d623c20c7b3f923421046a6b12792f9d5603a4be1b3f
SHA51254023de8b43c2619f6cf8ae89f1ddd084d0e575093db24be18ce42fa852d2dcb8bec01c742854ccff3aad85b891365b7625666c48a173b1694a189827f0b5177
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b031c315b4a304cecced2b16f079af8d
SHA1ec6fa74a7ec3e2b51e3c18c6923cf64af41f0161
SHA25691ddeba7155dda33c712bd47770e79cf0e4f373b8738cc05297e4720324135a3
SHA5128f8dc150ee58fe6fc1d027f9a507433c7bb92ee23b2f3e291b9977df297bfca0da1e04179865bf2141775a14d5b885081068eb03959c2d4ddd34dfa7693163f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a5a3e0c161be166851b2276397073bc
SHA182878c05716eb266426f3bb4d73ef1688a8b8aa3
SHA256d2585b3563ff9956316ae08c5ced79ebec2b4e35dd63b5d4dd7c9f153cc93cc7
SHA5126d50735b488255685c8f0a9e553e7d5c6233563b7f783f068f0889aeb616b1b92a39aace7272f62627ebc0297075f6976e843ed43b38e8d199ae5615bbf195da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD575637693129fced1c880f357d212d474
SHA1b1e3c412aedba74196c2fda886dd8b55ad3176f4
SHA2560d5c6a9805ed0a0aa76aba92a31ed74f2cbcdd5df1907c761ea44030025c7f1a
SHA5125bd669f5d0c8ef78f81662791db48999f397ed8a291150fd8eb57df02b4693b8d48b6aa8183a9e9f7c571c7bdf900d8573c84f119e4f8c94f072564e2d77b43f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59a103b413ef8a787b1c15a366e042725
SHA1bcfea451f1e349bac0f064b69c275a3f89ff8fda
SHA2564eaf53f5d83c1814a9193a587d41dec88fd1d534430cc9711a67e29b58e24071
SHA51228854bcf54b8a86864029fe93abf707a4998a071f70f5629c1749e51aea1a85ada84f816ce19731614176b619efd7ffa065f3796026ee3d86df8937163a59129
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54bd2125a72fba3d083075c06c7df7825
SHA113aa2e0e10bbf8ccde4d8fa9bbe16e304055872c
SHA2562409e8de16dbb15a64b55e0bcbc760d5d89279c865a23a20ec9946d4cdcda58d
SHA5122eba1a0c828ccd4ab99cd6728d61fe6496546eed13da4008e3574271456635ea43e1351b76b38d5e8cb50fb788185f3aab658cc024b9d60a0dd6f7b9afbdf3b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD561496b82d0442ed219d291aed165b6fa
SHA1bff7d9a2caf00598b44b79a5d66c1472086efe9e
SHA256e43aab7b03e864910bbe9c87a6473e9b2429acb01e2b648810c65efd7714b76e
SHA5125add50c3919432057ef1c0a8ed4691b81fcd5851d30b1b8e82f5e2b77b0725f41c606f395020ec55c817680c14892d7c072934fc64c42ba11c188fda75384c92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d3e88f6ed54180eea5805bb481e4c22d
SHA1d4ec0ad166aef6fd7ccda983d7a5978c7d7a7626
SHA256f2b1baaea13285c639346e091220acb74508043ad938bcf30130a320fc8245e5
SHA512337ca197d0d034df1ad4f47f9fdff7b782a5011fde1e6e23807dfa7805e4182adf579173437a6a4db72db76279d5ed16a304c24d47b95e191f879e601595225d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a29eefc4949c2aedb58d42b1dec84582
SHA14f7c89ced7f9e5b852b3884a6567c86d64f0eb03
SHA256b8802b3076567e88260868755adba2e9429a976e1fb1ea97db91e6574b276f9d
SHA512a5799ec08db3ec00de569e965f3b023618b2db8c1868b64408714daa6bac0411b2ad1e0967fd727230443f2fb40521c1e0d14f37f0ff55dd1911f87dfeae327a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
217B
MD55d501e8d4f37880e34f1665e0001eb09
SHA19013ac5abab0088d8755d9e2b085c6a73accd2d0
SHA2567b05b3221ff86d89550aaba3dcdf18fea0a6dce09e067a4ed296429a3237246b
SHA512e396c2fb7cd70904db7ea67affe621db92dc91e9ac37a58e50273795e203cdbfdcd51f41f06de1e87d3460f8b05aca4f95a09a173b21f026e8743111bca1f42f
-
Filesize
217B
MD56fe1b5b72b9c85af1c9e2678d8fa61bf
SHA10d59a75417ba8a4ff8c631c785755cdedb3b3148
SHA256b665607f1c7d4e862349f2150bf3c38d8bcbe82ec3de01aa6fd47fffed67f821
SHA512b9acab50702df87a0dc1223f09d5ed6b8018e359abc631054a6a9277bb0e74d68133b55ad7f053a86ed07cffee476594c13ef758b534f222f571cf4f79b2bcad
-
Filesize
217B
MD55696fad68a1b13749a2871fb08cb4cd5
SHA1a1dc524f1df420fb5a5fb58177cc93ce2d039196
SHA256c9911bfc5cd61aca2e97052a52868303fba32ae92f033f55da0bcae2b2b16803
SHA512f87930be7d9af28ea7252fef09b431c1ec0414f7e50c1a59d78de09f70b0748dcc8b679c0e5923488b8165a235352b28047c15ba766e45df87ad59cee8b9073d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
217B
MD5265394da537946ac78f39a5af08af10e
SHA1bb27a774ed5273bf223b0eeff67ff6f931c38e7c
SHA2565a6f7f82ac7ea8949ca32820ba6f54769feeca57ccaeb62fe69486219d42d685
SHA512e0d588e4aae0f843997aa3e537417675b3c38b41271322c51f830a8d568f77ab599c336d01dc481f084c9559ace8bde4a502c3fdfec0c748c7fab3503ac86be9
-
Filesize
217B
MD53bfd3a8647d6c903c37b405922a85d70
SHA169ab5440d008f2798e5f5e2d44d0a346120e2c5d
SHA256a91e7fa3ecd48e04b5d4c9e1700791582fe2225a060828f85c0ba6c73bdb2358
SHA512ec4433800d654baaba35a9ff3a513257c7055cf92ea0acffebd96ffc6d39decacf52fea69f15036aa2dd4d17794109d894273ad3e82c76280c7c61dd883eec9d
-
Filesize
217B
MD5028dc387a9faa111e5d0342e6d51430c
SHA12dda3a97cf84df54e3c28365eff8f3ad943e9eaf
SHA256fa2c04049463b3e8bc56859978ab4b6a51e0e9f4141b20aaf38627b33f058980
SHA512287167cb54269e46fed339c98308afd142e89c0e5348bb994beaeef7293a22f53b2c063ca79ec68353526dba9d6cc9eaa685bf96d23361ab16a554bb6b39b70d
-
Filesize
217B
MD5f5c20c240378f60626c42794509d5f3d
SHA125d9ff57174e608861a7d63f59fc35f544f16f3a
SHA2567305af1e628f951cf3a15866b79cea05394dd5402f114238c3980a0010d52329
SHA5125704cc6cd925843436501d3630d9cb384cfc38ad383cbcd080f45c8f7ccbfbd8c765e7b9e39065de3e80f0b4e445158e8f929dd21607fe716fe62c5266f6efbc
-
Filesize
217B
MD5e8deb66d965c4069f7d697a036fd37b8
SHA1bdcefba9457282812fa5caf98f416188b3ac263b
SHA256faa2c00860d6b927d23b3bd47b7202392a0c4863e31386842efe3f5649c59607
SHA5123755c75b13651830fc47d6e6502e87cadb9303dedae29800faa6b4dbd1bdada8cc30ce9cc0232986e739dfb793447fab983e217733fa05892fb9f1fa2b438b49
-
Filesize
217B
MD57d9ac85071255b5a81a5ee0be39bd3f1
SHA1b2ff0bb2ade19c19b206eb829b95737a8194f844
SHA25663057371393706755d53c0078940c254ab17d8b5acfb8b4a847ac8c5d1219099
SHA512294fb778a55a39ef27f83c0d686d4a11a64a9601f6e82710fc910b83499bbd7d4334c72c87954b94541d71e0f95f6dba780fca5eaa0b0f44219308635e4857f1
-
Filesize
217B
MD5b11af91fc134d411cb835c5ed02e74ee
SHA1c084e2ac4ff1c1dbe8836fa9988c8aab04412d00
SHA256ff82a21a51686f4082c734129b5431df76afc21fc13d610c822d12c05c39e144
SHA512e949eddbe04b39a36dabb2170e07b791ff6d1d64911ccedde1e70519b87049919bae09fdc92dd841285550fb357342a95ecd638d31bcd455c7c5627a9cf5730b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fc22d44dc9b96bb7623193a2a574038e
SHA139c3b12be6cb1269e88a4d471c5422412b68264f
SHA256991f26afd0cf42151bd34fcfa1ecd2e44670bf98fa7be1e08dfbabc0b29b5bb7
SHA512cea2471a323826804c3e749384dca0b7c56eac2fc28f2222c70cf8c3a473807a0195215a5d20d796cafa2a99f98e98fb270724e29c3f3e985c416b471028c50e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478