Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:22
Behavioral task
behavioral1
Sample
JaffaCakes118_4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498.exe
-
Size
1.3MB
-
MD5
dab58b486bea84b9ec67d457ca986a25
-
SHA1
9ec96b143ecb603f8080422c27a4f54d15cc218b
-
SHA256
4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498
-
SHA512
afe599aaae0b518533eb1cd76933d7dc0ef29a418cc886335a3f77b17d157b08900ee04e9491451a0f25341f7682ea1dfc68ab47dc2854e4dc90e649a6d75900
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 668 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2736 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2736 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016ce1-9.dat dcrat behavioral1/memory/2820-13-0x0000000000FB0000-0x00000000010C0000-memory.dmp dcrat behavioral1/memory/624-98-0x0000000001110000-0x0000000001220000-memory.dmp dcrat behavioral1/memory/1584-175-0x0000000000C90000-0x0000000000DA0000-memory.dmp dcrat behavioral1/memory/376-302-0x00000000002A0000-0x00000000003B0000-memory.dmp dcrat behavioral1/memory/2488-362-0x0000000000120000-0x0000000000230000-memory.dmp dcrat behavioral1/memory/624-422-0x0000000000B60000-0x0000000000C70000-memory.dmp dcrat behavioral1/memory/2584-482-0x0000000000C70000-0x0000000000D80000-memory.dmp dcrat behavioral1/memory/2180-543-0x0000000000040000-0x0000000000150000-memory.dmp dcrat behavioral1/memory/404-603-0x0000000001070000-0x0000000001180000-memory.dmp dcrat behavioral1/memory/2340-663-0x00000000000B0000-0x00000000001C0000-memory.dmp dcrat behavioral1/memory/1860-723-0x00000000008C0000-0x00000000009D0000-memory.dmp dcrat behavioral1/memory/352-783-0x00000000009F0000-0x0000000000B00000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 32 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1648 powershell.exe 1712 powershell.exe 1376 powershell.exe 1844 powershell.exe 2232 powershell.exe 2092 powershell.exe 2600 powershell.exe 1884 powershell.exe 3036 powershell.exe 1676 powershell.exe 2376 powershell.exe 1000 powershell.exe 1992 powershell.exe 2816 powershell.exe 1232 powershell.exe 1876 powershell.exe 1828 powershell.exe 1784 powershell.exe 2392 powershell.exe 960 powershell.exe 2604 powershell.exe 636 powershell.exe 2300 powershell.exe 3064 powershell.exe 2108 powershell.exe 2520 powershell.exe 3060 powershell.exe 2116 powershell.exe 2928 powershell.exe 2088 powershell.exe 1212 powershell.exe 668 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2820 DllCommonsvc.exe 624 DllCommonsvc.exe 1584 dllhost.exe 376 dllhost.exe 2488 dllhost.exe 624 dllhost.exe 2584 dllhost.exe 2180 dllhost.exe 404 dllhost.exe 2340 dllhost.exe 1860 dllhost.exe 352 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2680 cmd.exe 2680 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 20 raw.githubusercontent.com 31 raw.githubusercontent.com 4 raw.githubusercontent.com 24 raw.githubusercontent.com 27 raw.githubusercontent.com 34 raw.githubusercontent.com 37 raw.githubusercontent.com -
Drops file in Program Files directory 20 IoCs
description ioc Process File created C:\Program Files\Windows Mail\en-US\dllhost.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\lib\images\cursors\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Google\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\services.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Journal\de-DE\lsm.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\es-ES\services.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\de-DE\lsm.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\lib\images\cursors\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Google\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\de-DE\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\es-ES\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Windows Journal\de-DE\101b941d020240 DllCommonsvc.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\de-DE\spoolsv.exe DllCommonsvc.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\TAPI\cmd.exe DllCommonsvc.exe File created C:\Windows\ehome\MediaRenderer\69ddcba757bf72 DllCommonsvc.exe File created C:\Windows\de-DE\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\Help\Windows\de-DE\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\Panther\setup.exe\smss.exe DllCommonsvc.exe File created C:\Windows\TAPI\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\ehome\MediaRenderer\smss.exe DllCommonsvc.exe File created C:\Windows\de-DE\lsass.exe DllCommonsvc.exe File created C:\Windows\Help\Windows\de-DE\csrss.exe DllCommonsvc.exe File created C:\Windows\Panther\setup.exe\69ddcba757bf72 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2868 schtasks.exe 2368 schtasks.exe 2852 schtasks.exe 2844 schtasks.exe 2556 schtasks.exe 960 schtasks.exe 748 schtasks.exe 2516 schtasks.exe 2232 schtasks.exe 1632 schtasks.exe 1040 schtasks.exe 2908 schtasks.exe 2212 schtasks.exe 3052 schtasks.exe 2100 schtasks.exe 2500 schtasks.exe 1656 schtasks.exe 2416 schtasks.exe 592 schtasks.exe 2604 schtasks.exe 1364 schtasks.exe 2788 schtasks.exe 1564 schtasks.exe 2708 schtasks.exe 2892 schtasks.exe 1636 schtasks.exe 2772 schtasks.exe 2924 schtasks.exe 444 schtasks.exe 2652 schtasks.exe 1708 schtasks.exe 2248 schtasks.exe 536 schtasks.exe 2376 schtasks.exe 2572 schtasks.exe 964 schtasks.exe 1604 schtasks.exe 2612 schtasks.exe 2576 schtasks.exe 2248 schtasks.exe 1828 schtasks.exe 2004 schtasks.exe 1160 schtasks.exe 2148 schtasks.exe 1528 schtasks.exe 580 schtasks.exe 2092 schtasks.exe 2956 schtasks.exe 1744 schtasks.exe 2132 schtasks.exe 668 schtasks.exe 1064 schtasks.exe 772 schtasks.exe 2208 schtasks.exe 444 schtasks.exe 1472 schtasks.exe 1152 schtasks.exe 1904 schtasks.exe 2912 schtasks.exe 2916 schtasks.exe 796 schtasks.exe 1584 schtasks.exe 2592 schtasks.exe 2952 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 2820 DllCommonsvc.exe 2820 DllCommonsvc.exe 2820 DllCommonsvc.exe 3064 powershell.exe 1784 powershell.exe 1844 powershell.exe 1000 powershell.exe 1376 powershell.exe 2392 powershell.exe 3060 powershell.exe 1676 powershell.exe 2520 powershell.exe 3036 powershell.exe 1992 powershell.exe 2108 powershell.exe 624 DllCommonsvc.exe 624 DllCommonsvc.exe 624 DllCommonsvc.exe 624 DllCommonsvc.exe 624 DllCommonsvc.exe 1828 powershell.exe 960 powershell.exe 2092 powershell.exe 2600 powershell.exe 2376 powershell.exe 1712 powershell.exe 2604 powershell.exe 668 powershell.exe 2816 powershell.exe 1884 powershell.exe 1648 powershell.exe 1876 powershell.exe 1212 powershell.exe 2300 powershell.exe 636 powershell.exe 2088 powershell.exe 2928 powershell.exe 1232 powershell.exe 2116 powershell.exe 2232 powershell.exe 1584 dllhost.exe 376 dllhost.exe 2488 dllhost.exe 624 dllhost.exe 2584 dllhost.exe 2180 dllhost.exe 404 dllhost.exe 2340 dllhost.exe 1860 dllhost.exe 352 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 2820 DllCommonsvc.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 1000 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 624 DllCommonsvc.exe Token: SeDebugPrivilege 1828 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 668 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 1876 powershell.exe Token: SeDebugPrivilege 1212 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 636 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 1232 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 1584 dllhost.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 376 dllhost.exe Token: SeDebugPrivilege 2488 dllhost.exe Token: SeDebugPrivilege 624 dllhost.exe Token: SeDebugPrivilege 2584 dllhost.exe Token: SeDebugPrivilege 2180 dllhost.exe Token: SeDebugPrivilege 404 dllhost.exe Token: SeDebugPrivilege 2340 dllhost.exe Token: SeDebugPrivilege 1860 dllhost.exe Token: SeDebugPrivilege 352 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2860 2672 JaffaCakes118_4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498.exe 30 PID 2672 wrote to memory of 2860 2672 JaffaCakes118_4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498.exe 30 PID 2672 wrote to memory of 2860 2672 JaffaCakes118_4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498.exe 30 PID 2672 wrote to memory of 2860 2672 JaffaCakes118_4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498.exe 30 PID 2860 wrote to memory of 2680 2860 WScript.exe 31 PID 2860 wrote to memory of 2680 2860 WScript.exe 31 PID 2860 wrote to memory of 2680 2860 WScript.exe 31 PID 2860 wrote to memory of 2680 2860 WScript.exe 31 PID 2680 wrote to memory of 2820 2680 cmd.exe 33 PID 2680 wrote to memory of 2820 2680 cmd.exe 33 PID 2680 wrote to memory of 2820 2680 cmd.exe 33 PID 2680 wrote to memory of 2820 2680 cmd.exe 33 PID 2820 wrote to memory of 3036 2820 DllCommonsvc.exe 68 PID 2820 wrote to memory of 3036 2820 DllCommonsvc.exe 68 PID 2820 wrote to memory of 3036 2820 DllCommonsvc.exe 68 PID 2820 wrote to memory of 1000 2820 DllCommonsvc.exe 69 PID 2820 wrote to memory of 1000 2820 DllCommonsvc.exe 69 PID 2820 wrote to memory of 1000 2820 DllCommonsvc.exe 69 PID 2820 wrote to memory of 3064 2820 DllCommonsvc.exe 70 PID 2820 wrote to memory of 3064 2820 DllCommonsvc.exe 70 PID 2820 wrote to memory of 3064 2820 DllCommonsvc.exe 70 PID 2820 wrote to memory of 1376 2820 DllCommonsvc.exe 71 PID 2820 wrote to memory of 1376 2820 DllCommonsvc.exe 71 PID 2820 wrote to memory of 1376 2820 DllCommonsvc.exe 71 PID 2820 wrote to memory of 2108 2820 DllCommonsvc.exe 72 PID 2820 wrote to memory of 2108 2820 DllCommonsvc.exe 72 PID 2820 wrote to memory of 2108 2820 DllCommonsvc.exe 72 PID 2820 wrote to memory of 1844 2820 DllCommonsvc.exe 73 PID 2820 wrote to memory of 1844 2820 DllCommonsvc.exe 73 PID 2820 wrote to memory of 1844 2820 DllCommonsvc.exe 73 PID 2820 wrote to memory of 1784 2820 DllCommonsvc.exe 74 PID 2820 wrote to memory of 1784 2820 DllCommonsvc.exe 74 PID 2820 wrote to memory of 1784 2820 DllCommonsvc.exe 74 PID 2820 wrote to memory of 1676 2820 DllCommonsvc.exe 75 PID 2820 wrote to memory of 1676 2820 DllCommonsvc.exe 75 PID 2820 wrote to memory of 1676 2820 DllCommonsvc.exe 75 PID 2820 wrote to memory of 2520 2820 DllCommonsvc.exe 76 PID 2820 wrote to memory of 2520 2820 DllCommonsvc.exe 76 PID 2820 wrote to memory of 2520 2820 DllCommonsvc.exe 76 PID 2820 wrote to memory of 2392 2820 DllCommonsvc.exe 77 PID 2820 wrote to memory of 2392 2820 DllCommonsvc.exe 77 PID 2820 wrote to memory of 2392 2820 DllCommonsvc.exe 77 PID 2820 wrote to memory of 1992 2820 DllCommonsvc.exe 78 PID 2820 wrote to memory of 1992 2820 DllCommonsvc.exe 78 PID 2820 wrote to memory of 1992 2820 DllCommonsvc.exe 78 PID 2820 wrote to memory of 3060 2820 DllCommonsvc.exe 79 PID 2820 wrote to memory of 3060 2820 DllCommonsvc.exe 79 PID 2820 wrote to memory of 3060 2820 DllCommonsvc.exe 79 PID 2820 wrote to memory of 3000 2820 DllCommonsvc.exe 86 PID 2820 wrote to memory of 3000 2820 DllCommonsvc.exe 86 PID 2820 wrote to memory of 3000 2820 DllCommonsvc.exe 86 PID 3000 wrote to memory of 1452 3000 cmd.exe 94 PID 3000 wrote to memory of 1452 3000 cmd.exe 94 PID 3000 wrote to memory of 1452 3000 cmd.exe 94 PID 3000 wrote to memory of 624 3000 cmd.exe 95 PID 3000 wrote to memory of 624 3000 cmd.exe 95 PID 3000 wrote to memory of 624 3000 cmd.exe 95 PID 624 wrote to memory of 1212 624 DllCommonsvc.exe 153 PID 624 wrote to memory of 1212 624 DllCommonsvc.exe 153 PID 624 wrote to memory of 1212 624 DllCommonsvc.exe 153 PID 624 wrote to memory of 2816 624 DllCommonsvc.exe 154 PID 624 wrote to memory of 2816 624 DllCommonsvc.exe 154 PID 624 wrote to memory of 2816 624 DllCommonsvc.exe 154 PID 624 wrote to memory of 2232 624 DllCommonsvc.exe 155 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f1ef6cdf13530542fd4b9b40270d4e7917683628371a14b34866caf0d088498.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\de-DE\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nbmyZnkczp.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1452
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\images\cursors\audiodg.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\spoolsv.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\MediaRenderer\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Windows\de-DE\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\spoolsv.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\services.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat"8⤵PID:836
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:832
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"10⤵PID:2908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1076
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"12⤵PID:2100
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2436
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"14⤵PID:2612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2932
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"16⤵PID:1808
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2972
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"18⤵PID:2012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2920
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"20⤵PID:2116
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1604
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"22⤵PID:1824
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2504
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"24⤵PID:2672
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:964
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DGa94wSM8j.bat"26⤵PID:1664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\de-DE\lsm.exe'" /f1⤵
- Process spawned unexpected child process
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\TAPI\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\SendTo\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\lib\images\cursors\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\images\cursors\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lib\images\cursors\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\de-DE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\MediaRenderer\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ehome\MediaRenderer\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\ehome\MediaRenderer\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\Windows\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\Windows\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\Windows\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Google\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\setup.exe\smss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\setup.exe\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f1⤵PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f1⤵PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\services.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵PID:892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
929B
MD52534cf3cfcf450730ce8eaeff65c6580
SHA11b892dbf709b3b1f795afe859a9d800276ef259c
SHA2569941553200adeec9bacaca797b9a9597671158047ab46be721f1f066f0aa52b7
SHA512529c9df20e0b73eac9ba7f4829bbbefcd4f3b42573984228481af73065c98ac5ff7454b25c49865b821284081528bf1cf2d8f297c1259479b97f9cf8a2b9a0fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b49f0c8996aadb9f7aede700deaef6c7
SHA1ea4d4614eb968b9c4f3553e02f73c2b6c5c0fba3
SHA25677dfdc3955e1acfc4eaefaf0a31d405029c767f48bc9de287854d857de1f007c
SHA5120d692866ff4885bd495641c6d11f3519b2000ec000d4cdb056549212cb00d25fb66711cf4fc3f71f2d6b4317a5fbe18311f3050af86d5c04dd53513fb978bf28
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f69b9c85b4e76c69fb27c5ecc4523934
SHA1c1ce06e502bb0e4272ed8b905cb377b79ee5ecef
SHA256e73122953ae9033d8a110f4b0dbe46707c09c96df5f7a1e34649044329a646f8
SHA512c7ea694a682bc335c644e175e612cee4e69346d8fd095626906b555918d2b1a0da8f0cb23eb7ec2ab4dcfd4f4c34bbd31dbc9c51bc474849b7b06df76827387f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a26e8ef0bdba939a6459af3c0f7df2a6
SHA1fa0e35c19d6c159fd24d5cb4f5e42779d94a11f8
SHA256b7a97055bda482d5e9a71c4f22a5bdd4b1eb5622dad581fdd15db867adef9102
SHA512bcb411062b91815757cb5d66f39b4c6e6c7cff644be8f87457c717cdefe7fae7a8b99dbddd5c02938fb95b9fb7a84e9b3e3c45871e7dd45191e7281202eaa9e3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567ad2801ee04df853fa5931fe7f66844
SHA1fcc30f38b24dc8690977f833b4ebed4baa23629a
SHA25633a3600906e1241413d81fd2422ee263ff9b7bf48ce30c0f9aa6f8ca77ceb6a4
SHA51244007f36a78710ae81ebadc3f5b37ae0833745ce04b2e3bbafed845e95239e5eed00f4425f6122dd76040962ed28abaafae82d84624cb3e14b4786417234895d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD578c060477df1cd74aad28a2bc01df604
SHA150a39fe4669534c4399742f9a130943ce2245638
SHA2563aca677c4498ed1c4cebaa4a3dbdf376f94e7b8e8497c5af3d7ecde9ddadfd28
SHA5127afbd0077b9441cfa6651a827e4af0cc0ae0bb97665bb6abc172974f988fbdc6dfdd29267ee37ab2af7b43a1eb52f16db93c8b7c2cb25454bb45f7017bf72f5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c7ccd1a5df81b280e3c628a1b3e130d1
SHA1e28c13fc5b54199e65885be1a8a08a9cee47b611
SHA256948b3bd2390c170e0298b3a444af6aa381357f2e5945eaf66a6b5d0319055117
SHA512710e779385b41d2580f2f90c491ff38a989acf68daaf6faa64b41e2fdee57075f1c4ed2dcca49612f07aeefea253257efc22e5cbb353769389af4600344aff30
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57e76f5dc74d2b73a00995d3cee4f16c2
SHA169e5a9c2e98ec31ef994f8ed97c47d12568987f9
SHA256427407e239c167883703a9feb565e57b583cb53343575561e6bb3a5722df6de0
SHA512c69e464208eeb01960658f07851758921961a86dce4287045622fda40f016c43084bd606d7ed820e32f7eaba251329356c48982470ed0e3961d42877a65f787b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD549f7aa8ae690ef93701d66a0a543ac2d
SHA1d5cbd5334d6e149e14de4bc95adb13fd60ebf024
SHA256c8a5a347a9a19bf8e3ea61f314fcfda44705861c8ae361ccf051032f715ceefb
SHA512504ce0cc8e183142079c4c7f87f1807899444263d3b5ebbe4150456f2bb834a7e3306225e2759b473300aa81cc8224fa401ddbeca9de45c8f10fc223c31588bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d7b0e1f04cf6114814fb3703c04a98b7
SHA10f3c2b8169e61b6bca5c8e961f5560b7b7e88d88
SHA25611e90d35e1ac69192b364653e46a701a360da81dd93133ffb8ceabeadcec1b2d
SHA5124fe8a19aebd5b924965e23f012c3cc0cefcb38552c9a54360476214cf2ef521a6a0177c96d47b2fd50c1ea1753d551127033d845e44b9ad208a081d50bbff55c
-
Filesize
239B
MD5536bd2f3960b3b54ff347b4dfa4295d5
SHA117cc8cb490292fb3e450128433069007a23be7cf
SHA2564b894e38145b1c4731d7b739284daba41c1f91ab04d55bd23c26194127598f84
SHA512868f056baf551b14d06b147288406f95720db20927f269d50bd345f73b44a587b0a05b5e621f7eb5780a3471d4b358416add208a9f890d97ccb6a4a89417e82c
-
Filesize
239B
MD5cd6dc5c130b20dbc7d27ed85ad1ba9e4
SHA1c42cf2025dc59aca7f5620e059759114df8ffcf3
SHA256be3d033a4445aa116583999e189464801ac6286f8f6707228e2401bd4416743f
SHA512ce263672340803affbc35cc6ea3b608beba689161bc256c1d0ab278c40f5cb6396c56064a434d9f636a0e32f3faec31fc6a5eb96e2fb42b71dd42052ad36d542
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
239B
MD53737649dd7ca3f9635887acdbf429356
SHA1d916caf3f780417514984895d57f2d978d511aed
SHA2561aa136a74c419183cd35a181ba25859ecff9bb9f6cfc7f11fb4c46c885a4edc6
SHA512ec50c78fca1522cfc93f4839adff9eb2c32649e5b46f63453ac949775021effdfce67869243558235089c29e3ab568c380732fb43a300224d87beeb2bcb03963
-
Filesize
239B
MD571f8d277783db89147f5aa6aa5389e06
SHA18eed5b9a7a8c7fc22affeeea945c24bc7d672a5b
SHA2560bf0bc939b929d5ce0577f0c8c1f7a7b073dcb78eb723a98e80d6682706c7773
SHA512fe2a8bce0345367d96fb37e75928b1489212d62baf7cb4dad0c1376fcb8ca265c7639bd31a5a882b986fce85d84d09f6fa8a49ed37cca4be92ae505584b2ff5c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
239B
MD53d051572841c9a7eaad2545ca20e591e
SHA1c21d06f7cadddfd7bbbc0af28012c33bcff935c6
SHA2560c84ec8f4868d0993ae0f022c6812bea6695f8d14724b6df824ee6574bd1c108
SHA51263a04c18ad20ffecd4401f445f2e01a5414fbb022c9ce6ed54a8172cca0a5761dde14ad4a6eda2cf224e2aebe4f985dccc61a2692e8d2af7da6438f8dd221d36
-
Filesize
239B
MD5c547c67a53f54c309b12805426c4a24f
SHA182667f1fd18a94b7335961da794957f34b20971d
SHA256d09d1ad45968de9586bed2d5758d04ec469cbaad4ec16a9fbd0eeeee26c51066
SHA512eaece2229eefabc65a10e4e173762b38c4ab8ff9f76ff7c6f9cd4171fb8008afe9436c4129670f469fc2a216754003a070172e5be3aa3ae3f73e5245674fd8b3
-
Filesize
199B
MD506b52732425fc6e674e07f1d9e3e1334
SHA1aa6f6370642ec91c172dc999104560b6423df243
SHA2564579cbf7cc482bdcc8fbcb10f8636c7f5dad387be330eb039e11a519b5e51396
SHA51201bf8cb8a6465e207bd18eab985ef7f5123af6417089a72742c2883c0cfc08dc62361b585ec4d9dfad87c61ee0a32dffdbae61ed7c19405213d699dc4feaae39
-
Filesize
239B
MD5246f8625e0ac7b5534ac2e84f40ec2eb
SHA18bae2504f0e3d0cbf42eab6040a06f637d1866d4
SHA25603c42ae12a95b9abb60958a476220a929c0834451fbf3906574d109bcd0830fc
SHA51290796fe421819e35bd6290b9207a9aabdd38e156c328cc5f944c9bc45439d4838e50b2f7dc15060272a1f5ac2b1bcb358606a61fda7723e8631654da572e2e38
-
Filesize
239B
MD56ce7688005723ac06a7b073de815efce
SHA145d040cd5ba031c0f3de454df84b733530af866c
SHA256dc2f6c607662afb1e53d1367ae80da835bb967e4af892710c5a5e93281c63b80
SHA512355efcb31618f95b1048d9c24d102c07b7b479d6b58aba821a62e97000da32c7c39ed5fe666cfa6fa10045cd33742f67b6e3f5be330cd6e398fad8b31a50960e
-
Filesize
239B
MD5a524633558235d1d74a2dcd53a0ff142
SHA188ae65300c6ba44abea19438e1a512807bb5183e
SHA256c82b6fc93d1578aa8e07cd419d0c081f6b8cbe3aafa424a7ae220129226919b8
SHA512bfffe11f1edfc6649f37c2600dd6c37480b1c1199d3ceeaa5dbcc16386dd392ed5dcc779d6c1abd0ad309a681355bbab9f1f44f6a48f10d7131678ec4170b1ad
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56375a0456397b0326195ff3f945e3862
SHA1cc62656c6263c068b2565bbc63548a35a339a471
SHA256f0fb1864f7db809ec3ca5145ef38169718086c71cee7deffd01241022d52439d
SHA5128f899fbd43ed8317d23c97367b779e83d639c03d30c14c85ff6b2cdb9d193aa87ef78127b40ba3cd745f6e949125dc5d0895f65b3b39017cc32c7e80e102bcc5
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
223B
MD5d6f4342c769b6a2c68e8eb6ed47112c5
SHA1299594195204170688a10a5f94b2fe350fdad812
SHA2563dce7f286c76941f922a9ed62f54a329463ddbf86f0f172be1d5b92827a9e967
SHA51251cc5d4df0e9d2509ab36e4e58868cfcd9082b2e20e80df14369f48d5061768a15d6bf35566ccc7dd678c3c5d269f8cf151243b9e660f78af67430c8d5d86903
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394