Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:41
Behavioral task
behavioral1
Sample
JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe
-
Size
1.3MB
-
MD5
646cd1f42241609de75b80e3c53f7221
-
SHA1
b3cb0329c945c1ec12f5dc08f5ada9b721963a97
-
SHA256
bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612
-
SHA512
9c62c222fba506bf84d0f432901864b101f639695be833559426de4e0c329e549ae295aa9d02a41d9ce593b43f437445832be458eeb9da4fa800a418d3cd9bae
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2724 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000800000001748f-12.dat dcrat behavioral1/memory/2712-13-0x0000000000A50000-0x0000000000B60000-memory.dmp dcrat behavioral1/memory/1612-156-0x0000000000DB0000-0x0000000000EC0000-memory.dmp dcrat behavioral1/memory/2236-215-0x00000000013B0000-0x00000000014C0000-memory.dmp dcrat behavioral1/memory/1728-335-0x0000000000290000-0x00000000003A0000-memory.dmp dcrat behavioral1/memory/2480-395-0x0000000000C00000-0x0000000000D10000-memory.dmp dcrat behavioral1/memory/3056-455-0x00000000000C0000-0x00000000001D0000-memory.dmp dcrat behavioral1/memory/1028-515-0x0000000000080000-0x0000000000190000-memory.dmp dcrat behavioral1/memory/2648-575-0x0000000000380000-0x0000000000490000-memory.dmp dcrat behavioral1/memory/2348-635-0x0000000000D10000-0x0000000000E20000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2976 powershell.exe 2720 powershell.exe 2892 powershell.exe 2840 powershell.exe 2908 powershell.exe 2780 powershell.exe 1140 powershell.exe 2900 powershell.exe 2216 powershell.exe 2196 powershell.exe 236 powershell.exe 1028 powershell.exe 2864 powershell.exe 2896 powershell.exe 2620 powershell.exe 2652 powershell.exe 3040 powershell.exe 3028 powershell.exe 2832 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2712 DllCommonsvc.exe 1612 DllCommonsvc.exe 2236 DllCommonsvc.exe 1492 DllCommonsvc.exe 1728 DllCommonsvc.exe 2480 DllCommonsvc.exe 3056 DllCommonsvc.exe 1028 DllCommonsvc.exe 2648 DllCommonsvc.exe 2348 DllCommonsvc.exe 2776 DllCommonsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2716 cmd.exe 2716 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 13 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 30 raw.githubusercontent.com 34 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 37 raw.githubusercontent.com -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\Common Files\SpeechEngines\Microsoft\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\taskhost.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Adobe\Help\winlogon.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\en-US\wininit.exe DllCommonsvc.exe File opened for modification C:\Program Files\DVD Maker\en-US\wininit.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\en-US\56085415360792 DllCommonsvc.exe File created C:\Program Files\Common Files\SpeechEngines\Microsoft\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Adobe\Help\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\69ddcba757bf72 DllCommonsvc.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\LiveKernelReports\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\diagnostics\system\HomeGroup\es-ES\explorer.exe DllCommonsvc.exe File created C:\Windows\Panther\UnattendGC\wininit.exe DllCommonsvc.exe File created C:\Windows\Panther\UnattendGC\56085415360792 DllCommonsvc.exe File created C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\a76d7bf15d8370 DllCommonsvc.exe File created C:\Windows\rescache\rc0006\explorer.exe DllCommonsvc.exe File created C:\Windows\LiveKernelReports\taskhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2160 schtasks.exe 3068 schtasks.exe 3004 schtasks.exe 2668 schtasks.exe 2020 schtasks.exe 2044 schtasks.exe 1340 schtasks.exe 2148 schtasks.exe 2028 schtasks.exe 2360 schtasks.exe 3032 schtasks.exe 2300 schtasks.exe 1104 schtasks.exe 1740 schtasks.exe 2648 schtasks.exe 936 schtasks.exe 2480 schtasks.exe 1960 schtasks.exe 2264 schtasks.exe 2592 schtasks.exe 2824 schtasks.exe 620 schtasks.exe 1280 schtasks.exe 1244 schtasks.exe 2080 schtasks.exe 2204 schtasks.exe 1664 schtasks.exe 1868 schtasks.exe 1648 schtasks.exe 2432 schtasks.exe 2136 schtasks.exe 1556 schtasks.exe 2984 schtasks.exe 2036 schtasks.exe 2316 schtasks.exe 2172 schtasks.exe 884 schtasks.exe 1576 schtasks.exe 1992 schtasks.exe 264 schtasks.exe 1720 schtasks.exe 1828 schtasks.exe 1940 schtasks.exe 2776 schtasks.exe 676 schtasks.exe 392 schtasks.exe 2744 schtasks.exe 2236 schtasks.exe 1544 schtasks.exe 588 schtasks.exe 2104 schtasks.exe 2168 schtasks.exe 1044 schtasks.exe 2400 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2712 DllCommonsvc.exe 2720 powershell.exe 1028 powershell.exe 236 powershell.exe 2900 powershell.exe 2864 powershell.exe 2892 powershell.exe 2908 powershell.exe 2896 powershell.exe 2196 powershell.exe 2976 powershell.exe 2652 powershell.exe 2620 powershell.exe 2780 powershell.exe 2832 powershell.exe 2216 powershell.exe 3040 powershell.exe 1140 powershell.exe 2840 powershell.exe 3028 powershell.exe 1612 DllCommonsvc.exe 2236 DllCommonsvc.exe 1492 DllCommonsvc.exe 1728 DllCommonsvc.exe 2480 DllCommonsvc.exe 3056 DllCommonsvc.exe 1028 DllCommonsvc.exe 2648 DllCommonsvc.exe 2348 DllCommonsvc.exe 2776 DllCommonsvc.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2712 DllCommonsvc.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeDebugPrivilege 236 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 1612 DllCommonsvc.exe Token: SeDebugPrivilege 2236 DllCommonsvc.exe Token: SeDebugPrivilege 1492 DllCommonsvc.exe Token: SeDebugPrivilege 1728 DllCommonsvc.exe Token: SeDebugPrivilege 2480 DllCommonsvc.exe Token: SeDebugPrivilege 3056 DllCommonsvc.exe Token: SeDebugPrivilege 1028 DllCommonsvc.exe Token: SeDebugPrivilege 2648 DllCommonsvc.exe Token: SeDebugPrivilege 2348 DllCommonsvc.exe Token: SeDebugPrivilege 2776 DllCommonsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2572 wrote to memory of 3040 2572 JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe 30 PID 2572 wrote to memory of 3040 2572 JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe 30 PID 2572 wrote to memory of 3040 2572 JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe 30 PID 2572 wrote to memory of 3040 2572 JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe 30 PID 3040 wrote to memory of 2716 3040 WScript.exe 31 PID 3040 wrote to memory of 2716 3040 WScript.exe 31 PID 3040 wrote to memory of 2716 3040 WScript.exe 31 PID 3040 wrote to memory of 2716 3040 WScript.exe 31 PID 2716 wrote to memory of 2712 2716 cmd.exe 33 PID 2716 wrote to memory of 2712 2716 cmd.exe 33 PID 2716 wrote to memory of 2712 2716 cmd.exe 33 PID 2716 wrote to memory of 2712 2716 cmd.exe 33 PID 2712 wrote to memory of 236 2712 DllCommonsvc.exe 89 PID 2712 wrote to memory of 236 2712 DllCommonsvc.exe 89 PID 2712 wrote to memory of 236 2712 DllCommonsvc.exe 89 PID 2712 wrote to memory of 3028 2712 DllCommonsvc.exe 90 PID 2712 wrote to memory of 3028 2712 DllCommonsvc.exe 90 PID 2712 wrote to memory of 3028 2712 DllCommonsvc.exe 90 PID 2712 wrote to memory of 1028 2712 DllCommonsvc.exe 91 PID 2712 wrote to memory of 1028 2712 DllCommonsvc.exe 91 PID 2712 wrote to memory of 1028 2712 DllCommonsvc.exe 91 PID 2712 wrote to memory of 3040 2712 DllCommonsvc.exe 92 PID 2712 wrote to memory of 3040 2712 DllCommonsvc.exe 92 PID 2712 wrote to memory of 3040 2712 DllCommonsvc.exe 92 PID 2712 wrote to memory of 2892 2712 DllCommonsvc.exe 93 PID 2712 wrote to memory of 2892 2712 DllCommonsvc.exe 93 PID 2712 wrote to memory of 2892 2712 DllCommonsvc.exe 93 PID 2712 wrote to memory of 2864 2712 DllCommonsvc.exe 94 PID 2712 wrote to memory of 2864 2712 DllCommonsvc.exe 94 PID 2712 wrote to memory of 2864 2712 DllCommonsvc.exe 94 PID 2712 wrote to memory of 2896 2712 DllCommonsvc.exe 95 PID 2712 wrote to memory of 2896 2712 DllCommonsvc.exe 95 PID 2712 wrote to memory of 2896 2712 DllCommonsvc.exe 95 PID 2712 wrote to memory of 2840 2712 DllCommonsvc.exe 96 PID 2712 wrote to memory of 2840 2712 DllCommonsvc.exe 96 PID 2712 wrote to memory of 2840 2712 DllCommonsvc.exe 96 PID 2712 wrote to memory of 2908 2712 DllCommonsvc.exe 98 PID 2712 wrote to memory of 2908 2712 DllCommonsvc.exe 98 PID 2712 wrote to memory of 2908 2712 DllCommonsvc.exe 98 PID 2712 wrote to memory of 2976 2712 DllCommonsvc.exe 99 PID 2712 wrote to memory of 2976 2712 DllCommonsvc.exe 99 PID 2712 wrote to memory of 2976 2712 DllCommonsvc.exe 99 PID 2712 wrote to memory of 2780 2712 DllCommonsvc.exe 100 PID 2712 wrote to memory of 2780 2712 DllCommonsvc.exe 100 PID 2712 wrote to memory of 2780 2712 DllCommonsvc.exe 100 PID 2712 wrote to memory of 2720 2712 DllCommonsvc.exe 101 PID 2712 wrote to memory of 2720 2712 DllCommonsvc.exe 101 PID 2712 wrote to memory of 2720 2712 DllCommonsvc.exe 101 PID 2712 wrote to memory of 2620 2712 DllCommonsvc.exe 102 PID 2712 wrote to memory of 2620 2712 DllCommonsvc.exe 102 PID 2712 wrote to memory of 2620 2712 DllCommonsvc.exe 102 PID 2712 wrote to memory of 2652 2712 DllCommonsvc.exe 103 PID 2712 wrote to memory of 2652 2712 DllCommonsvc.exe 103 PID 2712 wrote to memory of 2652 2712 DllCommonsvc.exe 103 PID 2712 wrote to memory of 1140 2712 DllCommonsvc.exe 104 PID 2712 wrote to memory of 1140 2712 DllCommonsvc.exe 104 PID 2712 wrote to memory of 1140 2712 DllCommonsvc.exe 104 PID 2712 wrote to memory of 2900 2712 DllCommonsvc.exe 105 PID 2712 wrote to memory of 2900 2712 DllCommonsvc.exe 105 PID 2712 wrote to memory of 2900 2712 DllCommonsvc.exe 105 PID 2712 wrote to memory of 2216 2712 DllCommonsvc.exe 106 PID 2712 wrote to memory of 2216 2712 DllCommonsvc.exe 106 PID 2712 wrote to memory of 2216 2712 DllCommonsvc.exe 106 PID 2712 wrote to memory of 2196 2712 DllCommonsvc.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc6b40b3180dcada72104c60cc530bd2b9d83d7410c3ea6883f9cd19f82b4612.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\Microsoft\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\es-ES\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Help\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"6⤵PID:2648
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2728
-
-
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"8⤵PID:1812
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1832
-
-
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"10⤵PID:1028
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2168
-
-
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"12⤵PID:1348
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2924
-
-
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"14⤵PID:540
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2088
-
-
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"16⤵PID:2196
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2616
-
-
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"18⤵PID:1876
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2924
-
-
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"20⤵PID:760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2480
-
-
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"22⤵PID:2140
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:316
-
-
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat"24⤵PID:2208
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Links\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\UnattendGC\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\UnattendGC\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bd57b4f3e0261187b98cba4cfd42fc50
SHA1401ca03dbd44d5b2c67b818c5b1c39cf786a2b8b
SHA2563bf702b4287cac41256a5d448add625797d30da47d57fdb089736db85d5ab276
SHA5129ee6d712d7fdb7084257f90d6c885e1a702907a6a227ef1a923c5c959befd32ba29790f954626604cc169eb7096857db58b232d58a0f0a3b6b6bbb50425c4ea3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57387e1f4a0724ea2f382e053055d01e3
SHA1f4720a99ec8a689131c8713ac5bd650cf690802b
SHA256f7b661591a07b210a02e159031018c0606733133b3e69d4cce4234a5c1f6a69b
SHA51212e697ff9bca76a0e036b6ac9a3fa00d1a053779431e54c1ba99d5b2320d721cff9e1cdab7170b5e91a320a3638c44d83b88e2b20f963d81e5917986e8486505
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a337e0639ef94293eb60f6e8324e40a9
SHA1bc9477518d702e0efa4e1cd82c0b5c69a3ddef75
SHA2561d1811a92c4ac422b02c93bfa09f25d4c8d80f944873ad56761d16829efcffed
SHA51224a94d378cd7581ef43a2b33fc8a420166b6734fbf27570bb258d93bae03bb06d68cb8a15a3d3c18fcebfbc3b21f2e6041b59d4f5f5ea888122bff3e63a1dbcf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b13f25b3d4cf3ccbb8ebb9b4099b28b2
SHA16576426072b410a024b104cecf658339bb1fc4f6
SHA256a520a238c2420d020543dd6192f6db5c10e12480cf10d47b6b5ec5b7cd632c10
SHA5126f9b3d4fb2db97c9ee89c51cb6a297d04f3679c9b2a6a4a4f5a36ffdf4ec0b68639c4a503d361f84fe9407a56e6e16992a05b2bb98f9e85e58103af97bce8153
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5071406f4c3b2763f6cc82dff9d438fda
SHA18fbbc0976f28cf0038aa7c94a8a7bf25bc6fc898
SHA25601d21118d46abfc63f11288f9f436c0e486220008a6a86839b18a6c5d481542f
SHA512998926721f886e8910d6aea67e035c7de34b4c07b473cde4313b17180c0212858d136297109d0054bcedcac51a997f1f64468093684c4e47b21c488d4d856598
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bcdcc8b98fd355e35efb431ba34ee230
SHA1e4054d51a9ef2c43517faff39ae29e11b5ffa376
SHA25632606442e62a3686768e7a9c971bbf276c05299525c2f548bdf36a610da87a54
SHA51294f695da7bb5e899b8a2d1f4fb0feb0e6713f2f3cbfeb08673d5f351b4cbabc34a985f6c865d3a05f41d57a7885736ad305c46cb77c63b0ad735053b4edfad40
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b48f9197c0476f3a20d88934204d3846
SHA144b68bba45f7c3f10e1937a85fd0cfa759c52132
SHA256b310bf94b2e097680e59a47483640eb8d39b3d9f15a76eedb0583eed28aed9f2
SHA51294595d770e2dcd9e556cde9523f4b47a5ae8f7863877a438ba99f6d1d061fac2247c263cdc6aee86b0f19cb3802e799e985441d410a34ddc8285de772a94e322
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD588ebba97f801c5751c92d250f2adfebe
SHA1848dd4a3c3946daaa3cb85dad65763b46d152102
SHA2561431122e34afc546da7f8db99858ea0f15f01439bb99bf8b5672d512c0371caa
SHA512c16d8409e90db1190b5d2126a962f470057adfb8522cf00baa595454da2a7f675cb98e51c5b48d3f142340f46f8c39db3d1d595a0ee66ba1d7faff8352d1cdd6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a7d3c4216310e383e5dd1864eff7fe72
SHA189bb2b1f74694c3ddb72bb74757fa1b92d239412
SHA25690297bdebc11f872359b45efb24359190cd92df4d27c75548a6d5380f3bb6ee1
SHA512d22f95e7a382c740ff5f30f0995a2d8827814aba6e02f2fe6adc8beb98def7802e3b2f68cbb3953aa7830106b7642b9012ae36198019deb0c11cd184d7ad739c
-
Filesize
251B
MD5b3a7427e5315a4039cc28e3edfed7480
SHA111fac4b950a6fb2af7e40b1cc4df914880f955bc
SHA256551d4175ca11fde814322b2a87ec82ecae490bc41b2f8a57bbf6fd79b7622912
SHA512025e0ec85be3b0b18f7821323821f4162caf940d9bee3fdfc961b6834e45b35d0dec033613badc0bb3f1cc91e1ecf29ba548d609a194a76776196d45a7d22d63
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
251B
MD520657374f4701630aa3d707ac9f2da48
SHA1bb55d859cf5479d4b7ebafe451f0037f9899f81a
SHA2562110baf8d4d6d5f7c62550c5e2f8fd6c2b230befc5701b6a16236ccd964716cb
SHA512a56beef722e9b504621d220df7e973c7d8f91cf3fd7211e4935b511206200655d341e84dca852cff2575c2f16e76847a3a8ff57e9f7a2988fec24e38ee6dd9e6
-
Filesize
251B
MD56cf60d9680ccf2b04e351bd733fbe81b
SHA19c955d39eb604e71b30fdd3290cb04b890c507d6
SHA2567c1ac6866b02ee040f2b68f0099992d66a5fcffabd20363b5ae3ac0bacd32bb3
SHA512e5d1d456568ebea2cde6e95d1dcedfc4d24bf63a634457d537d925797142891447abaa68ef87edb6ee9e62c525ea8906b0edfeadec40c5d9215016b03817fff8
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
251B
MD5a5e6613a611e751f5fa8c2a0772b86ac
SHA12ecf470d0bfdbd40782cff198e1bc9e779f3fe5c
SHA256032d813463614130227e658d578d0d92782bc5ed0bfe0f27d8f0c507a6b023bc
SHA512de2700991595b82ceb3b742fe758413d61a6817b02bfd7e42e3782c5031799a595ea0a96e878d8114b39aabf7d536782a4c482329435a6a3863718f9d7e0a79e
-
Filesize
251B
MD52a158dc80e1c613973b05660469eeef6
SHA1125c1e76b359d70019c4b9ff09438838fd381a0f
SHA256003e67232a99fda83926886941eeb39f964bd9e1c5463533266c7d3b1eff0e2d
SHA5129a58156f880b73dbe7ab76edb54fe83abf0adadacf906c4d2ddadf10cd57e662536b99f8f97af799715224559ef3e61ba2e79742339b1b406328e41bb98e6efe
-
Filesize
251B
MD5a33ce80bda1e09cba867ea5669aa5226
SHA154813a56a32e2b3b0ece7ef0836393bee5f3ed19
SHA2564efe975bd9dde879bcfb3824809000d51583a1c8eaa414760b736482a0f1070d
SHA5126f91f12f747a30b3df095a62b17b4de0281ebd283b7840666d41259d7e9f0a233ea11e420ff6092d77655369c5da60d87470fae6a0f1ea97a96493e871afb0c6
-
Filesize
251B
MD51aaf1120b2af7932a20a5e8b7f303525
SHA1d1e363be956b00cf1b67908db3398c313025ade0
SHA2567cc46ae98bb9fbdb26a28337ae1a45346cbfe97c1afde56d2517202f99ed81f6
SHA512078926772dbce3ef82abad6c97859cecbc6de34482c8a0f603bc6a20b2764a7a7377546517578ada637a38151ce88ade1edc08890834129895d4fd2de286831a
-
Filesize
251B
MD506b95e1e927786c58e66c82f159f8262
SHA111b3e8b9913a109d5ff2577af4f4ec6af6ae8aa7
SHA2567ce9547ea3912d00f8548d099150f8893207f17ff29d1f0bd63de89f9cc41749
SHA5129e4a95582ed2f7b32abdd2d95638d6ca1407073687cec39fda055608b1d3d4668d35e5b0f483ace497bb999f6ff1dfb0e87eb2132632fabfbed4b819aafde85b
-
Filesize
251B
MD549a1b5ecce83e22a4aa597ca3206da09
SHA1dae894aa5b19115662dd371b1e845951169f2d89
SHA2566a04384d539d180aa6f6c13ddbb437f0059c8f2cc2788cdfe64cec8744821a35
SHA512b6cd97a6ad116a3c4bca21a2ed845f4424bb07adc2aa6b55b372b6223ca5eec53391db67c6469c5d8e9b368e4a69312cf4b10b5aa98bbdf85d78e6fea278000b
-
Filesize
251B
MD54f3ed3d57adee8a871be3d5548a115b8
SHA12508ccf7c2e0114eeb47f058d857ecd3babfaf1d
SHA256599934ef25b73a1141c6d7398cbe9f89eab2e55cfef4acad5648be13d8c0ad66
SHA5127c10c441cb97febb8935eb5b6925f2c6911e035af3d8b5d98e18408554feea383e09a1638394e5bbb55687b072f5ceef4e189fa4b61100b7e42af27337a76895
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5108a3843b4afaba09a66ea4d2acd3bdf
SHA1a25ee02e6366df7e297eb0517f53df2e03af5ca3
SHA25633f804dad19afb97d6c48223699ea98a91e505b8d19c711be643c9530e292f47
SHA512cb873e974fb96fa51a7630284b69249c8e5a326bbfabab24b1c4b484328225159c475c2846d445193b4915ed40b72ff4fe145a258f27513e6073ae43a640a836
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478