Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:27
Behavioral task
behavioral1
Sample
JaffaCakes118_8a2974cad58c3a1563b09a8ee643302fc091b12c5889f58ad1ff9309710cc937.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8a2974cad58c3a1563b09a8ee643302fc091b12c5889f58ad1ff9309710cc937.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_8a2974cad58c3a1563b09a8ee643302fc091b12c5889f58ad1ff9309710cc937.exe
-
Size
1.3MB
-
MD5
79f3c31580cb804e5813b7422c1a6f76
-
SHA1
c21c4473a3dbaa35d558100a59c141f9b31b7fd0
-
SHA256
8a2974cad58c3a1563b09a8ee643302fc091b12c5889f58ad1ff9309710cc937
-
SHA512
7c4bc2f59072f3aa62cb69eb10fa995c7906de7c545d22ef4d7695d9df7c62af7abb226526173bd20fd841d99d83c93b029861d7bde0a4f3df44b4ebe7a54051
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2916 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2916 schtasks.exe 33 -
resource yara_rule behavioral1/files/0x00070000000186c3-11.dat dcrat behavioral1/memory/2776-13-0x0000000000BC0000-0x0000000000CD0000-memory.dmp dcrat behavioral1/memory/764-56-0x0000000000D70000-0x0000000000E80000-memory.dmp dcrat behavioral1/memory/3016-115-0x0000000001020000-0x0000000001130000-memory.dmp dcrat behavioral1/memory/1452-175-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/900-235-0x00000000010C0000-0x00000000011D0000-memory.dmp dcrat behavioral1/memory/888-295-0x0000000001140000-0x0000000001250000-memory.dmp dcrat behavioral1/memory/2888-532-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 236 powershell.exe 1016 powershell.exe 564 powershell.exe 1788 powershell.exe 1268 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2776 DllCommonsvc.exe 764 audiodg.exe 3016 audiodg.exe 1452 audiodg.exe 900 audiodg.exe 888 audiodg.exe 2240 audiodg.exe 2708 audiodg.exe 392 audiodg.exe 2888 audiodg.exe 2560 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2468 cmd.exe 2468 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 31 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\it-IT\lsass.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\it-IT\6203df4a6bafc7 DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\BitLockerDiscoveryVolumeContents\DllCommonsvc.exe DllCommonsvc.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\a76d7bf15d8370 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8a2974cad58c3a1563b09a8ee643302fc091b12c5889f58ad1ff9309710cc937.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2768 schtasks.exe 2648 schtasks.exe 2864 schtasks.exe 2944 schtasks.exe 2968 schtasks.exe 3004 schtasks.exe 2992 schtasks.exe 2680 schtasks.exe 2704 schtasks.exe 2232 schtasks.exe 2216 schtasks.exe 1696 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2776 DllCommonsvc.exe 564 powershell.exe 1016 powershell.exe 236 powershell.exe 1788 powershell.exe 1268 powershell.exe 764 audiodg.exe 3016 audiodg.exe 1452 audiodg.exe 900 audiodg.exe 888 audiodg.exe 2240 audiodg.exe 2708 audiodg.exe 392 audiodg.exe 2888 audiodg.exe 2560 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2776 DllCommonsvc.exe Token: SeDebugPrivilege 564 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeDebugPrivilege 236 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeDebugPrivilege 764 audiodg.exe Token: SeDebugPrivilege 3016 audiodg.exe Token: SeDebugPrivilege 1452 audiodg.exe Token: SeDebugPrivilege 900 audiodg.exe Token: SeDebugPrivilege 888 audiodg.exe Token: SeDebugPrivilege 2240 audiodg.exe Token: SeDebugPrivilege 2708 audiodg.exe Token: SeDebugPrivilege 392 audiodg.exe Token: SeDebugPrivilege 2888 audiodg.exe Token: SeDebugPrivilege 2560 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2592 2220 JaffaCakes118_8a2974cad58c3a1563b09a8ee643302fc091b12c5889f58ad1ff9309710cc937.exe 29 PID 2220 wrote to memory of 2592 2220 JaffaCakes118_8a2974cad58c3a1563b09a8ee643302fc091b12c5889f58ad1ff9309710cc937.exe 29 PID 2220 wrote to memory of 2592 2220 JaffaCakes118_8a2974cad58c3a1563b09a8ee643302fc091b12c5889f58ad1ff9309710cc937.exe 29 PID 2220 wrote to memory of 2592 2220 JaffaCakes118_8a2974cad58c3a1563b09a8ee643302fc091b12c5889f58ad1ff9309710cc937.exe 29 PID 2592 wrote to memory of 2468 2592 WScript.exe 30 PID 2592 wrote to memory of 2468 2592 WScript.exe 30 PID 2592 wrote to memory of 2468 2592 WScript.exe 30 PID 2592 wrote to memory of 2468 2592 WScript.exe 30 PID 2468 wrote to memory of 2776 2468 cmd.exe 32 PID 2468 wrote to memory of 2776 2468 cmd.exe 32 PID 2468 wrote to memory of 2776 2468 cmd.exe 32 PID 2468 wrote to memory of 2776 2468 cmd.exe 32 PID 2776 wrote to memory of 1268 2776 DllCommonsvc.exe 46 PID 2776 wrote to memory of 1268 2776 DllCommonsvc.exe 46 PID 2776 wrote to memory of 1268 2776 DllCommonsvc.exe 46 PID 2776 wrote to memory of 1788 2776 DllCommonsvc.exe 47 PID 2776 wrote to memory of 1788 2776 DllCommonsvc.exe 47 PID 2776 wrote to memory of 1788 2776 DllCommonsvc.exe 47 PID 2776 wrote to memory of 564 2776 DllCommonsvc.exe 48 PID 2776 wrote to memory of 564 2776 DllCommonsvc.exe 48 PID 2776 wrote to memory of 564 2776 DllCommonsvc.exe 48 PID 2776 wrote to memory of 236 2776 DllCommonsvc.exe 49 PID 2776 wrote to memory of 236 2776 DllCommonsvc.exe 49 PID 2776 wrote to memory of 236 2776 DllCommonsvc.exe 49 PID 2776 wrote to memory of 1016 2776 DllCommonsvc.exe 50 PID 2776 wrote to memory of 1016 2776 DllCommonsvc.exe 50 PID 2776 wrote to memory of 1016 2776 DllCommonsvc.exe 50 PID 2776 wrote to memory of 1884 2776 DllCommonsvc.exe 56 PID 2776 wrote to memory of 1884 2776 DllCommonsvc.exe 56 PID 2776 wrote to memory of 1884 2776 DllCommonsvc.exe 56 PID 1884 wrote to memory of 1808 1884 cmd.exe 58 PID 1884 wrote to memory of 1808 1884 cmd.exe 58 PID 1884 wrote to memory of 1808 1884 cmd.exe 58 PID 1884 wrote to memory of 764 1884 cmd.exe 59 PID 1884 wrote to memory of 764 1884 cmd.exe 59 PID 1884 wrote to memory of 764 1884 cmd.exe 59 PID 764 wrote to memory of 1264 764 audiodg.exe 60 PID 764 wrote to memory of 1264 764 audiodg.exe 60 PID 764 wrote to memory of 1264 764 audiodg.exe 60 PID 1264 wrote to memory of 1056 1264 cmd.exe 62 PID 1264 wrote to memory of 1056 1264 cmd.exe 62 PID 1264 wrote to memory of 1056 1264 cmd.exe 62 PID 1264 wrote to memory of 3016 1264 cmd.exe 63 PID 1264 wrote to memory of 3016 1264 cmd.exe 63 PID 1264 wrote to memory of 3016 1264 cmd.exe 63 PID 3016 wrote to memory of 1800 3016 audiodg.exe 64 PID 3016 wrote to memory of 1800 3016 audiodg.exe 64 PID 3016 wrote to memory of 1800 3016 audiodg.exe 64 PID 1800 wrote to memory of 2856 1800 cmd.exe 66 PID 1800 wrote to memory of 2856 1800 cmd.exe 66 PID 1800 wrote to memory of 2856 1800 cmd.exe 66 PID 1800 wrote to memory of 1452 1800 cmd.exe 67 PID 1800 wrote to memory of 1452 1800 cmd.exe 67 PID 1800 wrote to memory of 1452 1800 cmd.exe 67 PID 1452 wrote to memory of 1096 1452 audiodg.exe 68 PID 1452 wrote to memory of 1096 1452 audiodg.exe 68 PID 1452 wrote to memory of 1096 1452 audiodg.exe 68 PID 1096 wrote to memory of 1444 1096 cmd.exe 70 PID 1096 wrote to memory of 1444 1096 cmd.exe 70 PID 1096 wrote to memory of 1444 1096 cmd.exe 70 PID 1096 wrote to memory of 900 1096 cmd.exe 71 PID 1096 wrote to memory of 900 1096 cmd.exe 71 PID 1096 wrote to memory of 900 1096 cmd.exe 71 PID 900 wrote to memory of 2444 900 audiodg.exe 72 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2974cad58c3a1563b09a8ee643302fc091b12c5889f58ad1ff9309710cc937.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2974cad58c3a1563b09a8ee643302fc091b12c5889f58ad1ff9309710cc937.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raDEUZ9qwq.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1808
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1056
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2856
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1444
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"13⤵PID:2444
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1148
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat"15⤵PID:984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1680
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"17⤵PID:1116
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:336
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"19⤵PID:2484
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1252
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"21⤵PID:1596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2780
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"23⤵PID:1156
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2344
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d5cQTyHbvx.bat"25⤵PID:520
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5696109ac99eee2cc17f21acba2295b03
SHA1d9fd817b64c0cf39e7f70c8847bb8c44eb46f3d7
SHA256bb5e6605cddcef292e748d0cc9386c27aee87b382fc664951e1486fa29b70a34
SHA512392d97eb5ecd74f446afead4bb6ea562e9ad492155af3171c134745032a50e59ccbb181f410c4cc613fa0d6903fdc8303b45e00fb652606b01ef1a582a2b535a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5226a98f8b4002116e59fea06a3f3a11a
SHA10f77cbf244fdc3fde236c5ee0c6dbd9bd2588090
SHA256d2e0c236020922dee6190c9807bcedd6921bf2af27de0921cb2d4f3f9346fc1d
SHA51291fa7eb62a3763dd1cd6b5faea724f7e773ed64702b84ea76557da57159c9748b7abdf5f86b29ca432ae87d9f42c94a69a50f41bdec55aa673e0d52f8ee92918
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53d2c4c7ca8d1fc49007950b8f3df8a8a
SHA13e472d177c4cf57e22fd14506a136465aeb279b3
SHA2564bfc31f35fc43fcbc55c4ba7f159460f5f97844d45da35ba00921a275fef8578
SHA5121fc328faacb178ddb47356917a04b4e53ec52fa4c5318f26c919196aa52d67e3f9ba730eecc517bad869cb487368b9e8f5c0f0fa7312e9c13289fb5dad5fbfa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5289ed7ea8a6b4d827f00f094721513a0
SHA1c750d13c054a60719d10fc6ecac2aff9534ea75c
SHA256677c3891818af1925a55c1dba0222d76b4838224ad89fc75f9e6f7aad0239550
SHA512899abf7294cf686557fb5cf013df3af396b007ef1feedbc0942cabcefe3904f2d7a2f15f94ec3389f5733ca42bb86e41656a01b705eab363b080b97267e9d84d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51c9817de827a6f245de8face35d5ae25
SHA1d352eb961d19ee63182309e93724284c20ec42b1
SHA25669c4c3b3f890aa68778ef462381a4641c7d0b91f455d58bef72cc7e5b8442e80
SHA51272b6de3ded4136acb1e091e769e1e1ccf56a0b53ff43bf93e8979c51a720f13c5365965bc37f4a0d2ecf412977436058d7ab1c591b346d5bf18938060f7a8eb4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD537b0c79ac4193f6942a5663ffd2554d6
SHA196816280343348f8c7ce899264d23bf9c450ebed
SHA2562ba55c528e66b73531055b13ba3ccc1d24d0af7eae86777ffd26fd0a79e7b5ac
SHA512b394575be60ecd0fafbe9486714a315499b2a37c6e63d4b70532d6ccc372470b3d5cf7452547d2c15f5dc3f07f0f483df545c19e148a4a24698cf279a8286971
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ead284e9fde85be76d44af035db4ed7d
SHA15c97be567483ec0107272d7402776567a7a7576e
SHA256e493b460ccd91ae9bb6f716d973c11b5ecc69a53172fa4c1dd6b3d6908f38e46
SHA512729af7cd084d8da26da70bd3f20d5f951a0c4f457d16cf9c23ad4186f21bf79ea9d9c803ac2d64207acd4f6dfb600719080f2c7426ecef9d4a0e117e627eb58d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df26c0005c8ead4efadbdddd34263450
SHA1e52755d2083e16acb96a618fcf25c8fb4402d28d
SHA25653eb515c8b3bae468f999a0a1af59af9087fa11212aabeb4d2c409212887827c
SHA512b4180efd5ca14a2a81f4d7d7463901a940c95a326e491ead0b3d108ca36e52e4f012db202c1a678d00cf6d9e4e7f42c5286399b449c1d227d453ec716166d063
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd64c336fe6e707a27d766030682d623
SHA17ad0e6e9b36626b0c82eede2271777220d14957e
SHA256d4a01d2c20b08f00ba71d93db18254dfac1e2e1913e09e07cfc183d893870e02
SHA512138a5ce05e396c1af0ed519afd920302e4332293e931883e83d676874228c21e5e59d7c0e08d998ac2fe2be582a8c2d49e418f91419a82b3fd1ca8a385cc899a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
194B
MD53121b09d44426498319e23d2b03d3596
SHA1430126329db6654661bf75d78327344f31e15f82
SHA256ab571c40dfb4d93f0097f457dd88ee9fb26e82366e76cbf50fbaa141568caa53
SHA5126a5bd2cb8af3be4109052d4c46f0a39e8c85e77e74b26b79ae6a902a5bf16e27542e0f06f1149a3414882b5aff8253984584c5a651d27b792e9915f9983cdf13
-
Filesize
194B
MD5b448b2c0fc5a3588458074e3230b93f3
SHA113a5a1f86df2ee814cee0b7a29a34182402297a2
SHA25627b1cd35ce2ce3431e3571d053a88a6de309a8abe0ebbba73a3b5060c4bacb2c
SHA51279f7270bf89b92353c4c65561ca634341fa7c951fca2538218cc0b99856e29f6f7e3ed5e1a4be9e76f6754b9252462c6494d73aecfc113bac845daa253315093
-
Filesize
194B
MD5ea72dd783643f67e0517d1991900f4f0
SHA1ce5d8e3a44147a1dc324c716c3bd4a77b63e5731
SHA256a7723bdbe8b7f187b41961d12ff19d3b8f8b5193b89d45bdf8452748248ee8ca
SHA512b50bb013a86a217dbdcf6385f2014655e2f5736e51c1ff22134e40092301adb05e2a9f7492b68b99438dd9f3cb5322211ab1bc063f357a8b9757325531a753d4
-
Filesize
194B
MD505a61ae914293fc66b0b235759a4a6b0
SHA1e0e413953f50dfae097ddf88adb81a50e308178e
SHA2569301e8cc115f751b912bfe9e91c083611f38cd5651b2519dc208c6a3a5984ea0
SHA512dd1f6723d76d6ee86dcd3583cb0f11bba57bfc70bfb24d7af86d573cd3636d51b2f8759fb6b2a718368595a4b5f3ca8808b438f588f018bd18e43baf7e1d34a2
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
194B
MD5fc8734036905652510e2de421e375046
SHA1d85e832abb4e119e46c1a0583e0640a647674c54
SHA256e88581344aab7afcf736735031ff52adf1ca3c470b78a460b57b20960f5a5737
SHA5122bd10db1dac58a004392bd54913b16f2a9076e07926486e8bd1c5bc8e8a16d71da587dd953a97ba6ed62bab0822f10a1114f3d52fc7af02ea5544ffeefadbfdc
-
Filesize
194B
MD58ee78f223a6c5df96d8630f7bfc6eeaa
SHA1ea74a505a92f58b92a2fe4a3ec38b0b159227129
SHA256aaede0b8f82f7f39e47f88a3a392b845bd1700d0572744548d768d5b0b438206
SHA51289a99bf59d7c2b58b09c43162cea86aa5773e07ecb9523df5a6c333f6aa946c4471c9fc005fc81b1f920e00fdc5e7bd80f6f9a8d63b50bede7549d2b278a949a
-
Filesize
194B
MD56b9aee1f273bfa8e5fc543d5494966b3
SHA1aa1d66e326c3e77302696a4ad3dcc45c2472443d
SHA256a15f214e757b55647f91eb1eca3af9dddfbc77efbcef273a50c10d3c01bfb18d
SHA512f4881fe47218700f78c9102c81fecc1a3b9c901dbd9ca7aecc8e1e4f79c134513897acbcdd0465c22750a3413ba0df3eafe52c7b7175a31d486ce7c0d7ed5d49
-
Filesize
194B
MD5f869902ce0c4a6777cf15d732844b899
SHA18bde7174fb5e806a29d71ef8ff0ca43b58056eca
SHA256903e56fa4f2b7b0fecb208ff2cbe194ba7d158c2f0219ce06cb88c3544f3800a
SHA512b7ebdb800d2ef79ffe67340b80b4ca9b761c5ed673ce86b7be9bd0de14ea302c5d6cdb0037247fb8e6a733ab3a011ecbe84581afd458a063b8820da65dbb352b
-
Filesize
194B
MD502688a14946ebc5aa69921b0982c9568
SHA1c02deaea009388e9344e66bfbb95e84d809f9ba1
SHA25653fdea08dfa294e96440a5a329d16dee1198a61ec3b007a8a37c830670f87509
SHA51255f0de813e636bac7f04d331bf7e4abb6a41f8fff7772d2d2a1652f87c8db9b9190dc47a9bb4abeefa4e390a2be9c0cc05adced15ff7a8da7bd19554a54ebce1
-
Filesize
194B
MD5b78ae9481f365822b28342c53078d8e4
SHA110099d56bf0c4fd464a080796f2acd7b23c3988f
SHA256756981a451ed26a6d5762ba59f59531cca2beef4d7b0c30bdb3aa5e4275ca35e
SHA5125ce8f9736d79a0113eda2cb8fea6872038cf777936c47f58675d1176d8928ff4e27695741aa555d1e44f9b5902a38c20e5881782f250565140e1c1945e35aa56
-
Filesize
194B
MD571e11a18c3f458fd47a625d5e17306f5
SHA1c1413f96f8975f5ee5318d0ed59ff6ec946c71f7
SHA2566eb26d18f2e40cc3ae5eeb2ee23e8443eb33aec29ade96a7426d69fd80ad9447
SHA5126648131ee6314dd3c38e8aaf533f7569209eea46ae82d50c259f7de07f5b6e170a0c18f12afebf1bd805f19649bb2f97d4b133c972220c0e1d27912a0c2bf4b0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5107bb10762a6f3521845a38aac1b9338
SHA16343cb66c77c3686f5cd052c977e4c74b12d1a9f
SHA256733ad7671e35ac47e34789257c7964c20159d5b2212d262b007b3eaae1d240de
SHA51233fc879edb9513dda23199b18d8c9d920d640e28c126bcf4a869054e91ac1260d7be7c146b17a5c3b2c2b1d6ed2d3e75897a44162c9a3dbb1f62af84c94b01b0
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394