Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:50
Behavioral task
behavioral1
Sample
JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe
-
Size
1.3MB
-
MD5
e7631eb93c75e8ff8907259a2821ea5e
-
SHA1
30439da50753ccf287e386f6e2c80c28fe82c5bd
-
SHA256
033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf
-
SHA512
4d2759aa5ed9fcf788b850b6afea30eff47616b6382cfe1ad4d133d34af3af8b53077f3223d118c20ebee132f23654721b62c458c24070eac70f187114cf01e4
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 800 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 340 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 708 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2916 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00070000000186fd-12.dat dcrat behavioral1/memory/1044-13-0x00000000000B0000-0x00000000001C0000-memory.dmp dcrat behavioral1/memory/236-162-0x0000000000B40000-0x0000000000C50000-memory.dmp dcrat behavioral1/memory/2640-221-0x00000000012E0000-0x00000000013F0000-memory.dmp dcrat behavioral1/memory/2688-458-0x0000000000130000-0x0000000000240000-memory.dmp dcrat behavioral1/memory/1936-518-0x0000000000970000-0x0000000000A80000-memory.dmp dcrat behavioral1/memory/2684-578-0x00000000009E0000-0x0000000000AF0000-memory.dmp dcrat behavioral1/memory/292-638-0x0000000000F00000-0x0000000001010000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1200 powershell.exe 2804 powershell.exe 2992 powershell.exe 1776 powershell.exe 1028 powershell.exe 2420 powershell.exe 2668 powershell.exe 2908 powershell.exe 1668 powershell.exe 2352 powershell.exe 2796 powershell.exe 2324 powershell.exe 1684 powershell.exe 1348 powershell.exe 2860 powershell.exe 2760 powershell.exe 2656 powershell.exe 2116 powershell.exe 2696 powershell.exe 1508 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 1044 DllCommonsvc.exe 236 audiodg.exe 2640 audiodg.exe 880 audiodg.exe 2020 audiodg.exe 2804 audiodg.exe 2688 audiodg.exe 1936 audiodg.exe 2684 audiodg.exe 292 audiodg.exe 2828 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 3028 cmd.exe 3028 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 25 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 28 raw.githubusercontent.com 32 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\it-IT\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\conhost.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\lib\amd64\dwm.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\lib\amd64\6cb0b6c459d5d3 DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\services.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\dwm.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\088424020bedd6 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\ja-JP\56085415360792 DllCommonsvc.exe File created C:\Windows\Branding\ShellBrd\audiodg.exe DllCommonsvc.exe File created C:\Windows\Branding\ShellBrd\42af1c969fbb7b DllCommonsvc.exe File created C:\Windows\ja-JP\wininit.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2888 schtasks.exe 2372 schtasks.exe 2280 schtasks.exe 2568 schtasks.exe 580 schtasks.exe 2488 schtasks.exe 1724 schtasks.exe 2636 schtasks.exe 1092 schtasks.exe 2820 schtasks.exe 1916 schtasks.exe 2424 schtasks.exe 1376 schtasks.exe 1764 schtasks.exe 2364 schtasks.exe 1900 schtasks.exe 1032 schtasks.exe 2032 schtasks.exe 2648 schtasks.exe 2192 schtasks.exe 2732 schtasks.exe 340 schtasks.exe 708 schtasks.exe 2936 schtasks.exe 2696 schtasks.exe 2952 schtasks.exe 2856 schtasks.exe 1912 schtasks.exe 2168 schtasks.exe 2804 schtasks.exe 2588 schtasks.exe 804 schtasks.exe 2964 schtasks.exe 1484 schtasks.exe 2688 schtasks.exe 800 schtasks.exe 1868 schtasks.exe 448 schtasks.exe 2136 schtasks.exe 2868 schtasks.exe 536 schtasks.exe 2412 schtasks.exe 2020 schtasks.exe 3004 schtasks.exe 2128 schtasks.exe 276 schtasks.exe 1700 schtasks.exe 2332 schtasks.exe 2680 schtasks.exe 856 schtasks.exe 2076 schtasks.exe 2012 schtasks.exe 2472 schtasks.exe 2172 schtasks.exe 2504 schtasks.exe 1144 schtasks.exe 2920 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 1044 DllCommonsvc.exe 1044 DllCommonsvc.exe 1044 DllCommonsvc.exe 1044 DllCommonsvc.exe 1044 DllCommonsvc.exe 1044 DllCommonsvc.exe 1044 DllCommonsvc.exe 2324 powershell.exe 1684 powershell.exe 2668 powershell.exe 2656 powershell.exe 1200 powershell.exe 2760 powershell.exe 1776 powershell.exe 2804 powershell.exe 2860 powershell.exe 1668 powershell.exe 2352 powershell.exe 1348 powershell.exe 2908 powershell.exe 2420 powershell.exe 1028 powershell.exe 1508 powershell.exe 2116 powershell.exe 2696 powershell.exe 2796 powershell.exe 2992 powershell.exe 236 audiodg.exe 2640 audiodg.exe 880 audiodg.exe 2020 audiodg.exe 2804 audiodg.exe 2688 audiodg.exe 1936 audiodg.exe 2684 audiodg.exe 292 audiodg.exe 2828 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 1044 DllCommonsvc.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 1200 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 236 audiodg.exe Token: SeDebugPrivilege 2640 audiodg.exe Token: SeDebugPrivilege 880 audiodg.exe Token: SeDebugPrivilege 2020 audiodg.exe Token: SeDebugPrivilege 2804 audiodg.exe Token: SeDebugPrivilege 2688 audiodg.exe Token: SeDebugPrivilege 1936 audiodg.exe Token: SeDebugPrivilege 2684 audiodg.exe Token: SeDebugPrivilege 292 audiodg.exe Token: SeDebugPrivilege 2828 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2328 2236 JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe 30 PID 2236 wrote to memory of 2328 2236 JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe 30 PID 2236 wrote to memory of 2328 2236 JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe 30 PID 2236 wrote to memory of 2328 2236 JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe 30 PID 2328 wrote to memory of 3028 2328 WScript.exe 31 PID 2328 wrote to memory of 3028 2328 WScript.exe 31 PID 2328 wrote to memory of 3028 2328 WScript.exe 31 PID 2328 wrote to memory of 3028 2328 WScript.exe 31 PID 3028 wrote to memory of 1044 3028 cmd.exe 33 PID 3028 wrote to memory of 1044 3028 cmd.exe 33 PID 3028 wrote to memory of 1044 3028 cmd.exe 33 PID 3028 wrote to memory of 1044 3028 cmd.exe 33 PID 1044 wrote to memory of 2760 1044 DllCommonsvc.exe 93 PID 1044 wrote to memory of 2760 1044 DllCommonsvc.exe 93 PID 1044 wrote to memory of 2760 1044 DllCommonsvc.exe 93 PID 1044 wrote to memory of 2796 1044 DllCommonsvc.exe 94 PID 1044 wrote to memory of 2796 1044 DllCommonsvc.exe 94 PID 1044 wrote to memory of 2796 1044 DllCommonsvc.exe 94 PID 1044 wrote to memory of 2420 1044 DllCommonsvc.exe 95 PID 1044 wrote to memory of 2420 1044 DllCommonsvc.exe 95 PID 1044 wrote to memory of 2420 1044 DllCommonsvc.exe 95 PID 1044 wrote to memory of 2668 1044 DllCommonsvc.exe 96 PID 1044 wrote to memory of 2668 1044 DllCommonsvc.exe 96 PID 1044 wrote to memory of 2668 1044 DllCommonsvc.exe 96 PID 1044 wrote to memory of 2324 1044 DllCommonsvc.exe 97 PID 1044 wrote to memory of 2324 1044 DllCommonsvc.exe 97 PID 1044 wrote to memory of 2324 1044 DllCommonsvc.exe 97 PID 1044 wrote to memory of 2908 1044 DllCommonsvc.exe 98 PID 1044 wrote to memory of 2908 1044 DllCommonsvc.exe 98 PID 1044 wrote to memory of 2908 1044 DllCommonsvc.exe 98 PID 1044 wrote to memory of 1028 1044 DllCommonsvc.exe 99 PID 1044 wrote to memory of 1028 1044 DllCommonsvc.exe 99 PID 1044 wrote to memory of 1028 1044 DllCommonsvc.exe 99 PID 1044 wrote to memory of 1200 1044 DllCommonsvc.exe 100 PID 1044 wrote to memory of 1200 1044 DllCommonsvc.exe 100 PID 1044 wrote to memory of 1200 1044 DllCommonsvc.exe 100 PID 1044 wrote to memory of 1684 1044 DllCommonsvc.exe 101 PID 1044 wrote to memory of 1684 1044 DllCommonsvc.exe 101 PID 1044 wrote to memory of 1684 1044 DllCommonsvc.exe 101 PID 1044 wrote to memory of 1508 1044 DllCommonsvc.exe 102 PID 1044 wrote to memory of 1508 1044 DllCommonsvc.exe 102 PID 1044 wrote to memory of 1508 1044 DllCommonsvc.exe 102 PID 1044 wrote to memory of 1348 1044 DllCommonsvc.exe 103 PID 1044 wrote to memory of 1348 1044 DllCommonsvc.exe 103 PID 1044 wrote to memory of 1348 1044 DllCommonsvc.exe 103 PID 1044 wrote to memory of 2804 1044 DllCommonsvc.exe 104 PID 1044 wrote to memory of 2804 1044 DllCommonsvc.exe 104 PID 1044 wrote to memory of 2804 1044 DllCommonsvc.exe 104 PID 1044 wrote to memory of 1668 1044 DllCommonsvc.exe 105 PID 1044 wrote to memory of 1668 1044 DllCommonsvc.exe 105 PID 1044 wrote to memory of 1668 1044 DllCommonsvc.exe 105 PID 1044 wrote to memory of 2992 1044 DllCommonsvc.exe 106 PID 1044 wrote to memory of 2992 1044 DllCommonsvc.exe 106 PID 1044 wrote to memory of 2992 1044 DllCommonsvc.exe 106 PID 1044 wrote to memory of 2656 1044 DllCommonsvc.exe 107 PID 1044 wrote to memory of 2656 1044 DllCommonsvc.exe 107 PID 1044 wrote to memory of 2656 1044 DllCommonsvc.exe 107 PID 1044 wrote to memory of 2352 1044 DllCommonsvc.exe 108 PID 1044 wrote to memory of 2352 1044 DllCommonsvc.exe 108 PID 1044 wrote to memory of 2352 1044 DllCommonsvc.exe 108 PID 1044 wrote to memory of 1776 1044 DllCommonsvc.exe 109 PID 1044 wrote to memory of 1776 1044 DllCommonsvc.exe 109 PID 1044 wrote to memory of 1776 1044 DllCommonsvc.exe 109 PID 1044 wrote to memory of 2116 1044 DllCommonsvc.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\amd64\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nidhYZx2f1.bat"5⤵PID:2020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2660
-
-
C:\Windows\Branding\ShellBrd\audiodg.exe"C:\Windows\Branding\ShellBrd\audiodg.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"7⤵PID:2956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1964
-
-
C:\Windows\Branding\ShellBrd\audiodg.exe"C:\Windows\Branding\ShellBrd\audiodg.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"9⤵PID:2008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2436
-
-
C:\Windows\Branding\ShellBrd\audiodg.exe"C:\Windows\Branding\ShellBrd\audiodg.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"11⤵PID:780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2424
-
-
C:\Windows\Branding\ShellBrd\audiodg.exe"C:\Windows\Branding\ShellBrd\audiodg.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"13⤵PID:1580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2252
-
-
C:\Windows\Branding\ShellBrd\audiodg.exe"C:\Windows\Branding\ShellBrd\audiodg.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"15⤵PID:2964
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2600
-
-
C:\Windows\Branding\ShellBrd\audiodg.exe"C:\Windows\Branding\ShellBrd\audiodg.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"17⤵PID:2420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2360
-
-
C:\Windows\Branding\ShellBrd\audiodg.exe"C:\Windows\Branding\ShellBrd\audiodg.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"19⤵PID:1656
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:772
-
-
C:\Windows\Branding\ShellBrd\audiodg.exe"C:\Windows\Branding\ShellBrd\audiodg.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"21⤵PID:2680
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1928
-
-
C:\Windows\Branding\ShellBrd\audiodg.exe"C:\Windows\Branding\ShellBrd\audiodg.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"23⤵PID:1088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3028
-
-
C:\Windows\Branding\ShellBrd\audiodg.exe"C:\Windows\Branding\ShellBrd\audiodg.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Videos\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Videos\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\lib\amd64\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\amd64\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lib\amd64\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\ShellBrd\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57cf0266379a9098de07c69d3ab2ad82b
SHA10bf48149adf304eeb4f94b998f9a73a415ec1424
SHA256eecceebe31774348f90bb810bce3479ee3509a0f3199a58a525b9cfae6e4c84a
SHA5124d4ca709af432e3ecebab587bbad9d641b70b413c6a62248353fe3c4c28ec423beaf67bdf39db7880506afb9c6dcba6ab3d9a653bca249f1654f4f6537206604
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59b0267b5a0b12fc923e87ec729fe4336
SHA1b5996a75d126ce4ab7ec0346bbdae57ac71b293d
SHA256d5bdea34cab0293cae812f73124221eab4823f89eccb07c1a245557a9f6d207e
SHA512539b1b7bdb156f7882a72fd05633990713e87cca9ad9bdfc1168f41791c07b90fa6485036f5dd14b09904d389a7535972acae8679e9744e26115261b570b4e7c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50317211208f66de8e433f616a93ec715
SHA1aa31c1a673fdf18a61f80271c70ac7a305098420
SHA256f4c4d8ee42f189cd88c01444fffa8843f8f55cf3aee99352f0228ea06c83ead1
SHA512285069f9330054f4e8c3cbb746ab94f1f57f676f5a55fcba77fc782559188585b8941029c4a50fc187784dcc8e85ce439daa61bbc4d414c4205503ddb946bed5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD503480acfcc1d46b2e3b1aa7c1fa029e5
SHA19db35b78ee84e050acd399cc62bbcec1bc75984c
SHA25676a34cf74b44be991cc54f2fbd0582a3da97463c23eafcf6445b4709158f0a8f
SHA5122a44e960b5840398f7be6cf632ac1ce45262b04852ff16cd4e98ec6db289bb0a25831ded03acb0083e32b98152ab0ec04cdaf17074996b6a7019732572ec27f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55973ca6487780369f4e3e216c91c352c
SHA14dc4080cabaf168c6fea87d476dc8554fbf46eea
SHA256ac788f02231c94458c0d4f10926c7eaa120235fdb7d78d05a03fda3838453d4a
SHA51201f807cb93a257cd608fcacdcc91cf6a6b5ad0052bd44703669181d4439a790611e255e63fbbf34da7e1bcba33ab466f639822b8d902990d260376447e7acf15
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD571cd6e3faaad08425de484da2d9b7952
SHA174f3c5d8ae698218631d04c490ef166674af8b38
SHA256de1fe058b8026e3c35d86a18145ccb789896ebacde82df506b5fef5b410b6686
SHA512fef075e536681c8ab2e848cfd69d22b80d261d6949dd91fe38ecf6ed26fbbea006c24479827056d53e9ddf993670543204f8a955eda811688da293e54bfc40b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59bd2958765b6f9b993ddb72e724666ce
SHA16c8ebb87b13fed501316fb133108cab68e555945
SHA25668ccd9252306bbfe03d9fab51a40c36c060bd437a3a524b2c6b5432b018ef74a
SHA51243798d4b741f94aeef9ad0819a1d9793ac4c57bf101a01c8964b49302e3d1b767c39bd510a6a849f8e5d2132ce37c90ab215a257120b6137fc64fabab461e869
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fc31ed2cfe190adf7aafd3ce56bf3df5
SHA13eec07c1d16370894eb15790c5f0f7c33259f4a5
SHA256a8f5766c29695ec038dbea4e78752503ff4f02991f8aa8026eb1e1a0b86e73f9
SHA5123bac5c042d2169ee6484ab1859034296c59814ffb674f91c521837850ce89eb5e41e00fc55d9e129c07f5579e570a69f7d8c55484a7e2a4c2e0ba6d9a309965f
-
Filesize
205B
MD5f8adab149e7bcf2683b6dafc6686a2c0
SHA171cb571132d72903838be4df554262430fb54bdf
SHA256ab7a7b16d82421c30efc5e70698a2e35bd9c708ef610d7248a31a6f9cbaf52b4
SHA5124131aaeb00eaa37dbbe7aff03a4204df539fe546224fee0158e5d4786f3dd8c5f34bad9034f376a0693a15bfafe6738663abac4e81023335f92124acf688745a
-
Filesize
205B
MD5dda9b1ac6658d56232e32b9430ec5324
SHA1bbc83b79be52c96bbf64a46a85510e4f8a34238f
SHA2564b56e05be1604ad573a2654303e707ad4640b6c9d56a3cca80f252f07e45f927
SHA5123347f7748d53529c6ac2e40991328b6db29a617f6822d6d512b94e058c49e5d35f08d7127e5606139c3724e852b5077840b6d2497e71f724a290ed07e3919fdd
-
Filesize
205B
MD5914980402614fbcb2cbcac2ee7b16fdb
SHA141967ed5dfbfc89624fa1af3183449c96f442d24
SHA2561e9ab0547496465f1af266260c0f0ebe44caae0c5b0991792a5855fe67ec53bf
SHA512e6ca9ecc39b717011a0f739d6fe8e73999c25a3700b03cbeeac8506adebceef5e018bfe747dd537c0896b3e643fcbc14f14c5c3599b393f82e3e26213d8315df
-
Filesize
205B
MD5074f1689edf942569ab7cbb141da7086
SHA1d08c5da1b41556964161a7a0d729c27e218c6b1f
SHA256c0120365ecfff96d3ce5f804ccabe95d9543674349248ecdae3f80aca8599367
SHA512901fa9211caa7a0380b3bd85b2aa59e4dc4ffc64cca5c09856656787303defc8fa83d0c4fe992fb400d1849b7bde777d86aeec4d503b9233f0f7564c63a547ab
-
Filesize
205B
MD5334c6f16c5a94e7337ea72e36ef84155
SHA10f84089a1387ab6bd487647225b6459a82aa6193
SHA25667e2ce0403a0ee5fd9dd0c3a646abc38f97e4a01d365b387acc2535d394405f8
SHA5128cf3f7dcd0da89eed7ae23cbb8cdeecbf486d47a388e476332a7aa7eb54da5c35633334efd1a93d8c4fffbc1b36741c7f6862c145bed5a589b8a989876f39bc0
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
205B
MD53eb2b5893799b7c28a75c801ed820dab
SHA1bac0823f0085e6559b0c4465ab00158bffe85a0e
SHA2561320414c6a1d11b65c1b7886a65d2e558186b0eed0255c672da7b24acfa570e4
SHA5126934b123e48476179e0a4be814c98095eec5a10bfcee2440a29a438ce3316c71f99d0c06ad07d5e292c729deee4fcc679e9b81dac718172eb400968d50e9387b
-
Filesize
205B
MD532f801eb2d191ca0aebdb632deb34b2a
SHA1feeba455979c0f45fa67ce5f751c165a4c82003b
SHA2563dd846400e380024f79960733d1d5e64b853a13ba5ebe33ba572f2f568168bfd
SHA512259846dbb02123b0f8f229aad2ddab9162d72e87f3d4a6cb836c346fcaf8399d1960ffb40e1c8816a51ad9ccd477f2686b3e96a97d4c6b0cb55988794c42ee78
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
205B
MD5d67780a4d021266aa3d6f3130e8e9fc0
SHA1e9e6a14dd3c7ad0e6a3fc57e2c5cad448a70f385
SHA256cc0aec388fbc3d19508a59acc8b9664ce561f16705bd0fe6dc6ca8e1aea4012a
SHA512bda26f6eea4a70064b0491891d5b3621d60958f675e0b06115cd8b4fd531cfb520d0ef82b3ae52c1ac09c53e1cb36c30eddfbffdae8afa6a9d2dadc2d1ddb923
-
Filesize
205B
MD553e2e41ef02df497b5fdf3932270d3ae
SHA19a4a8938d2efc04828b9d746effdaabe2fe0b1e1
SHA256e66aade1dd64171af205d36aabf04a80ebfd480a6975787fde3ec5900f8c6a42
SHA512f76e9697e0a781a2b8bb3758657c80b57f4f68726f0125c79f390da6abed1a8aa3d113e9614c8916d5f873bb50ecbbce71b454e404c1a651e11ba0a20ee58a91
-
Filesize
205B
MD52592693aaef533cc4233fb7d5facc83d
SHA193768dd7e20ab8c8fdebc0d7b2f7c78bd0b638b9
SHA2561dec952aaaa824f37bebb972f1862d71542658a9088ee58bdabbb81cdf000eb6
SHA51257bbaae795a057adf01c9153866917944ef51ed1b1c5729cb266a0f442ee45a22cce93fc6b9518ea8ac12401c18b79003c04b226f9f0c712aae8eaf32c9bb9b3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5650f1c15728513419fff6f41c76edcca
SHA1fae0cac51a1dfc585fc956dd5c252b64187c3253
SHA256fa7122d1f0a38958b9d29b2da7bb7466d5b8af422ff539e4c84969c075c7f370
SHA5128b1786348ba9796bd30f7201f8d378b24aeed10b242ba93b6e1180cbd1d1c858ddf2e8025dfb2e99607553936899d9097abe0659db61f21e51cef5e2a804b10f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478