Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 05:51
Behavioral task
behavioral1
Sample
JaffaCakes118_7e03fce2aff96eac0e51bcc0a64acf38694719090cbcf6fb3ed7c6269587e0e2.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7e03fce2aff96eac0e51bcc0a64acf38694719090cbcf6fb3ed7c6269587e0e2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_7e03fce2aff96eac0e51bcc0a64acf38694719090cbcf6fb3ed7c6269587e0e2.exe
-
Size
1.3MB
-
MD5
4fbd106c21a6582536ca54a2f5ecc0fb
-
SHA1
31d2091965cbdcb75bdd8f9e6c8502fd40f7d621
-
SHA256
7e03fce2aff96eac0e51bcc0a64acf38694719090cbcf6fb3ed7c6269587e0e2
-
SHA512
03f85b890ce16e6c182b5c76a4b22fa7109564422fa5d4c86a417b183bff4ab546b6a0672bdb2fcff3d7f1154a72fc6cd6987852af41dafe3e43b295a2f3808d
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 60 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 284 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2224 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2224 schtasks.exe 33 -
resource yara_rule behavioral1/files/0x00070000000195ad-11.dat dcrat behavioral1/memory/3008-13-0x0000000000CF0000-0x0000000000E00000-memory.dmp dcrat behavioral1/memory/3012-179-0x00000000010B0000-0x00000000011C0000-memory.dmp dcrat behavioral1/memory/2220-298-0x0000000001290000-0x00000000013A0000-memory.dmp dcrat behavioral1/memory/1304-417-0x00000000003F0000-0x0000000000500000-memory.dmp dcrat behavioral1/memory/1092-477-0x00000000000E0000-0x00000000001F0000-memory.dmp dcrat behavioral1/memory/2056-537-0x0000000000BC0000-0x0000000000CD0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2984 powershell.exe 2148 powershell.exe 1380 powershell.exe 284 powershell.exe 2176 powershell.exe 1524 powershell.exe 1980 powershell.exe 1088 powershell.exe 1500 powershell.exe 1280 powershell.exe 1692 powershell.exe 2416 powershell.exe 2924 powershell.exe 1524 powershell.exe 1812 powershell.exe 1500 powershell.exe 1784 powershell.exe 2092 powershell.exe 1508 powershell.exe 2428 powershell.exe 2120 powershell.exe 2988 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 3008 DllCommonsvc.exe 1924 DllCommonsvc.exe 3012 powershell.exe 1428 powershell.exe 2220 powershell.exe 2412 powershell.exe 1304 powershell.exe 1092 powershell.exe 2056 powershell.exe 3064 powershell.exe 700 powershell.exe -
Loads dropped DLL 2 IoCs
pid Process 2944 cmd.exe 2944 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 19 raw.githubusercontent.com 23 raw.githubusercontent.com 29 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 26 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in Program Files directory 21 IoCs
description ioc Process File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\explorer.exe DllCommonsvc.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\explorer.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\it-IT\e978f868350d50 DllCommonsvc.exe File created C:\Program Files\Java\jdk1.7.0_80\db\conhost.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\powershell.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\lib\ext\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\e978f868350d50 DllCommonsvc.exe File created C:\Program Files\MSBuild\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Java\jdk1.7.0_80\db\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\MSBuild\lsm.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\lib\ext\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\56085415360792 DllCommonsvc.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\Windows Journal\it-IT\powershell.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\en-US\powershell.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\en-US\e978f868350d50 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Registration\CRMLog\56085415360792 DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\wininit.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7e03fce2aff96eac0e51bcc0a64acf38694719090cbcf6fb3ed7c6269587e0e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2392 schtasks.exe 2612 schtasks.exe 1560 schtasks.exe 320 schtasks.exe 2024 schtasks.exe 1616 schtasks.exe 2936 schtasks.exe 2640 schtasks.exe 2832 schtasks.exe 2600 schtasks.exe 1324 schtasks.exe 2408 schtasks.exe 2884 schtasks.exe 3044 schtasks.exe 948 schtasks.exe 2632 schtasks.exe 2260 schtasks.exe 2776 schtasks.exe 2796 schtasks.exe 1948 schtasks.exe 1156 schtasks.exe 2240 schtasks.exe 1108 schtasks.exe 844 schtasks.exe 960 schtasks.exe 2348 schtasks.exe 2132 schtasks.exe 2720 schtasks.exe 2356 schtasks.exe 1104 schtasks.exe 832 schtasks.exe 2968 schtasks.exe 2784 schtasks.exe 1540 schtasks.exe 616 schtasks.exe 1092 schtasks.exe 2284 schtasks.exe 1976 schtasks.exe 2360 schtasks.exe 284 schtasks.exe 2152 schtasks.exe 2424 schtasks.exe 2812 schtasks.exe 1824 schtasks.exe 2212 schtasks.exe 2332 schtasks.exe 2508 schtasks.exe 2872 schtasks.exe 3064 schtasks.exe 560 schtasks.exe 2628 schtasks.exe 1328 schtasks.exe 952 schtasks.exe 2960 schtasks.exe 2736 schtasks.exe 2852 schtasks.exe 2380 schtasks.exe 1220 schtasks.exe 2928 schtasks.exe 2944 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 3008 DllCommonsvc.exe 2988 powershell.exe 2924 powershell.exe 1524 powershell.exe 1500 powershell.exe 1924 DllCommonsvc.exe 1924 DllCommonsvc.exe 1924 DllCommonsvc.exe 1924 DllCommonsvc.exe 1924 DllCommonsvc.exe 1924 DllCommonsvc.exe 1924 DllCommonsvc.exe 1924 DllCommonsvc.exe 1924 DllCommonsvc.exe 2092 powershell.exe 2148 powershell.exe 2416 powershell.exe 1280 powershell.exe 1380 powershell.exe 2428 powershell.exe 1812 powershell.exe 1508 powershell.exe 1980 powershell.exe 2984 powershell.exe 1692 powershell.exe 2120 powershell.exe 1088 powershell.exe 1500 powershell.exe 1784 powershell.exe 2176 powershell.exe 284 powershell.exe 1524 powershell.exe 3012 powershell.exe 1428 powershell.exe 2220 powershell.exe 2412 powershell.exe 1304 powershell.exe 1092 powershell.exe 2056 powershell.exe 3064 powershell.exe 700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 3008 DllCommonsvc.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 1924 DllCommonsvc.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeDebugPrivilege 1380 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 284 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 1092 powershell.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 700 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2244 2348 JaffaCakes118_7e03fce2aff96eac0e51bcc0a64acf38694719090cbcf6fb3ed7c6269587e0e2.exe 29 PID 2348 wrote to memory of 2244 2348 JaffaCakes118_7e03fce2aff96eac0e51bcc0a64acf38694719090cbcf6fb3ed7c6269587e0e2.exe 29 PID 2348 wrote to memory of 2244 2348 JaffaCakes118_7e03fce2aff96eac0e51bcc0a64acf38694719090cbcf6fb3ed7c6269587e0e2.exe 29 PID 2348 wrote to memory of 2244 2348 JaffaCakes118_7e03fce2aff96eac0e51bcc0a64acf38694719090cbcf6fb3ed7c6269587e0e2.exe 29 PID 2244 wrote to memory of 2944 2244 WScript.exe 30 PID 2244 wrote to memory of 2944 2244 WScript.exe 30 PID 2244 wrote to memory of 2944 2244 WScript.exe 30 PID 2244 wrote to memory of 2944 2244 WScript.exe 30 PID 2944 wrote to memory of 3008 2944 cmd.exe 32 PID 2944 wrote to memory of 3008 2944 cmd.exe 32 PID 2944 wrote to memory of 3008 2944 cmd.exe 32 PID 2944 wrote to memory of 3008 2944 cmd.exe 32 PID 3008 wrote to memory of 1500 3008 DllCommonsvc.exe 43 PID 3008 wrote to memory of 1500 3008 DllCommonsvc.exe 43 PID 3008 wrote to memory of 1500 3008 DllCommonsvc.exe 43 PID 3008 wrote to memory of 1524 3008 DllCommonsvc.exe 44 PID 3008 wrote to memory of 1524 3008 DllCommonsvc.exe 44 PID 3008 wrote to memory of 1524 3008 DllCommonsvc.exe 44 PID 3008 wrote to memory of 2988 3008 DllCommonsvc.exe 45 PID 3008 wrote to memory of 2988 3008 DllCommonsvc.exe 45 PID 3008 wrote to memory of 2988 3008 DllCommonsvc.exe 45 PID 3008 wrote to memory of 2924 3008 DllCommonsvc.exe 46 PID 3008 wrote to memory of 2924 3008 DllCommonsvc.exe 46 PID 3008 wrote to memory of 2924 3008 DllCommonsvc.exe 46 PID 3008 wrote to memory of 1924 3008 DllCommonsvc.exe 51 PID 3008 wrote to memory of 1924 3008 DllCommonsvc.exe 51 PID 3008 wrote to memory of 1924 3008 DllCommonsvc.exe 51 PID 1924 wrote to memory of 1088 1924 DllCommonsvc.exe 103 PID 1924 wrote to memory of 1088 1924 DllCommonsvc.exe 103 PID 1924 wrote to memory of 1088 1924 DllCommonsvc.exe 103 PID 1924 wrote to memory of 2416 1924 DllCommonsvc.exe 104 PID 1924 wrote to memory of 2416 1924 DllCommonsvc.exe 104 PID 1924 wrote to memory of 2416 1924 DllCommonsvc.exe 104 PID 1924 wrote to memory of 1380 1924 DllCommonsvc.exe 105 PID 1924 wrote to memory of 1380 1924 DllCommonsvc.exe 105 PID 1924 wrote to memory of 1380 1924 DllCommonsvc.exe 105 PID 1924 wrote to memory of 2428 1924 DllCommonsvc.exe 106 PID 1924 wrote to memory of 2428 1924 DllCommonsvc.exe 106 PID 1924 wrote to memory of 2428 1924 DllCommonsvc.exe 106 PID 1924 wrote to memory of 1812 1924 DllCommonsvc.exe 108 PID 1924 wrote to memory of 1812 1924 DllCommonsvc.exe 108 PID 1924 wrote to memory of 1812 1924 DllCommonsvc.exe 108 PID 1924 wrote to memory of 1692 1924 DllCommonsvc.exe 110 PID 1924 wrote to memory of 1692 1924 DllCommonsvc.exe 110 PID 1924 wrote to memory of 1692 1924 DllCommonsvc.exe 110 PID 1924 wrote to memory of 2148 1924 DllCommonsvc.exe 111 PID 1924 wrote to memory of 2148 1924 DllCommonsvc.exe 111 PID 1924 wrote to memory of 2148 1924 DllCommonsvc.exe 111 PID 1924 wrote to memory of 1508 1924 DllCommonsvc.exe 112 PID 1924 wrote to memory of 1508 1924 DllCommonsvc.exe 112 PID 1924 wrote to memory of 1508 1924 DllCommonsvc.exe 112 PID 1924 wrote to memory of 1500 1924 DllCommonsvc.exe 113 PID 1924 wrote to memory of 1500 1924 DllCommonsvc.exe 113 PID 1924 wrote to memory of 1500 1924 DllCommonsvc.exe 113 PID 1924 wrote to memory of 2092 1924 DllCommonsvc.exe 114 PID 1924 wrote to memory of 2092 1924 DllCommonsvc.exe 114 PID 1924 wrote to memory of 2092 1924 DllCommonsvc.exe 114 PID 1924 wrote to memory of 1784 1924 DllCommonsvc.exe 115 PID 1924 wrote to memory of 1784 1924 DllCommonsvc.exe 115 PID 1924 wrote to memory of 1784 1924 DllCommonsvc.exe 115 PID 1924 wrote to memory of 1980 1924 DllCommonsvc.exe 116 PID 1924 wrote to memory of 1980 1924 DllCommonsvc.exe 116 PID 1924 wrote to memory of 1980 1924 DllCommonsvc.exe 116 PID 1924 wrote to memory of 1280 1924 DllCommonsvc.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e03fce2aff96eac0e51bcc0a64acf38694719090cbcf6fb3ed7c6269587e0e2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e03fce2aff96eac0e51bcc0a64acf38694719090cbcf6fb3ed7c6269587e0e2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\winlogon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\db\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\en-US\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\lsm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\ext\winlogon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\wininit.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:284
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kVP3bMu5ML.bat"6⤵PID:596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2412
-
-
C:\Program Files\Windows Journal\it-IT\powershell.exe"C:\Program Files\Windows Journal\it-IT\powershell.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat"8⤵PID:1180
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2924
-
-
C:\Program Files\Windows Journal\it-IT\powershell.exe"C:\Program Files\Windows Journal\it-IT\powershell.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat"10⤵PID:3020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1240
-
-
C:\Program Files\Windows Journal\it-IT\powershell.exe"C:\Program Files\Windows Journal\it-IT\powershell.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"12⤵PID:1924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:284
-
-
C:\Program Files\Windows Journal\it-IT\powershell.exe"C:\Program Files\Windows Journal\it-IT\powershell.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"14⤵PID:2668
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1192
-
-
C:\Program Files\Windows Journal\it-IT\powershell.exe"C:\Program Files\Windows Journal\it-IT\powershell.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"16⤵PID:272
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2920
-
-
C:\Program Files\Windows Journal\it-IT\powershell.exe"C:\Program Files\Windows Journal\it-IT\powershell.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"18⤵PID:2072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1732
-
-
C:\Program Files\Windows Journal\it-IT\powershell.exe"C:\Program Files\Windows Journal\it-IT\powershell.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"20⤵PID:2328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1532
-
-
C:\Program Files\Windows Journal\it-IT\powershell.exe"C:\Program Files\Windows Journal\it-IT\powershell.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat"22⤵PID:1316
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:680
-
-
C:\Program Files\Windows Journal\it-IT\powershell.exe"C:\Program Files\Windows Journal\it-IT\powershell.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\it-IT\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\it-IT\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\lib\ext\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\ext\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\lib\ext\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\Sample Music\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b6ed05c8de264c27cb3a2952e0d306ab
SHA10f5b9be514036f0a596a2ee4679bf04af0590f95
SHA25622cf1a81e89d7385e6dd5106f47cb7f0d3b41bb55302c4f14b2235088ccb17e2
SHA5126807d923400a6d1559cf7547530cfb6e0298e1ef20e574804242f1ab2990c53096285ced3c186cc568b207f7fdc6cf033494a86e83cbb19ca8f84677f7e6342b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5695c42121e61cfa974ad7cb0275dc4dc
SHA1c4a93586503a11027c71e1dfd99f9853521c2a4c
SHA25674d474465b5276ee2b6ed1b37e0cd01f1a90c7797737bdbb150e70a53aaa2b69
SHA5123070edfddee8b13d05d9fef906b1fee073185a65445ac2a2d2b4472cb1076122490ae74265763fe001bba579523b61cd080996c45a83c7f1217ddd2128572c4b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD548b07aa6c99a1f78306b57d84b72c3c8
SHA1aecdb59fdf783611ba9752bc032c0ec3647531f7
SHA2567e2249d5471d78d925c76937ca7b436d608908829b3c7240fc2f57397f88286a
SHA51201aef596a943fb22478854a1cb206e4c6a9bfa17ab6a549c3558062a3df04d90962398ae70b001dac9d16835afa27cc9a6996fe4bef75a3d527389f92ca40023
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD553d113df801a1555d6bf137caac2d7ce
SHA1acd6a3fcf41469ad0d1498820704d910a02fbcea
SHA2563b2fb470c7fd04df7f5de639404c0c6c5b2a681cf3778c229defb7ee781b2496
SHA5127c700753c1a9b2bc8bc4a32e8e5485a912fa6532d678bacc36342a3be2369a0552ab36425cf808fad5fd418d324e49dbc541102857a9d5e9c333e53404177b97
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5684ce922c8c37de5f2a160ce1595de28
SHA1c3fcf17a06578b299f522734c777664ad0345b85
SHA256515b7473027f824d0eed91413dae97a0a20c5b920b7ca5c14a0d54d0617869c7
SHA5125f050f4619ff365d65ee9f1a0081b3687f43181104e4544bd9512fae8da3b140e12b07dc1167c8379cb7fc96d5670b858d01a8a6190ddcd80c7be660b549780b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5230b7d645c4fb00948f824625a31ff0f
SHA15ec3cf1609c41bfa788045bdef5ea05b9d82e499
SHA2564c3e588e1dec4871ded19438493a066428686ea9b0e67cdfefd36dc2fad153d2
SHA5126c5b79101ab9737c1ff074ac975f8a511c0a3ea0ba1e5e55c7da311e51368d1bdd9997c24f95b0ecf576be641101fffba3f1f30aefcb0bf9f3fbab127965d804
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f285f446b35b968fca3f14183f4013e
SHA1918fc011cdfd9fad9e9bde8bd4fc99d0953122dc
SHA256911dc5e090dc8edac73efa0864a94107f55ecb524a4f9d826456a46d14bd7c22
SHA512cd8221e2a8f4771c2bf005fc1b4c0e494d64e6d1fd568c4a6afdfaa9bb9eba2bcbf7e8e4c17db57d746cd72e08c964538300cf46609080d22c25f140e586be4d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
218B
MD579d1aec3864ef9378b1e443f5ededfbb
SHA1da5a25550e6468e23948228a9557401c79ffd9ac
SHA2569a4a7b313f346fa3413c5492ecb2a1338529e0b651943f5a800741f7de992da2
SHA5127f6a991205208bb974eb3e7b0ff19745895670f245e0781d084cf16d7c0c0e6028c80c2c16a3feb2c20829570bccf2d50f07f78d438f80b6be16ba0e73262d04
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
218B
MD5ff63153b9b4c65263b55e74500df88be
SHA188099774f309f6f9153ffba8617ebab3d7a07e6a
SHA25616d492dd55276cab6e390b00442e262e644269e1174474a5086e3720b2ad6b8f
SHA5125f1e9f93345fc13edfaeda7db0c2019a798a80788fd75a747732d9e08147a1c8aab83f3cd9a5f87d00de14e6d3672967bde5e654af6e4677329b20c0d04e8708
-
Filesize
218B
MD5501505c7df8c7e3b44d78888b7c984d7
SHA1d728b285e05f4f5d5b7c0cd970ce80340dfcc190
SHA2569b236306a22a1165e9c0ca1ceaccdd136d7e3944edff35722a9190b673ff78da
SHA512d38590051a65a023a20aa6be063ad0ffb14fb0068b0b92bada7ea4ddcc64b88a66ca3ff33bca08e291ea1d8444a12c6e85eb1157b9e45afcfb43c51fcf7f0c3f
-
Filesize
218B
MD59bab4e35de15888cad689ef3bf7e3d3f
SHA16512741c0569327d2b8a67c7f99e2d7288050d41
SHA25602155eeee497aafd5c70f75358538fcb025073bc12e5cfcef03a2c7e7677ee9d
SHA51231203fa333814cc17e9ab60ee51c70a58f409a5c46665b1fb259c195ccef9563d8456c7edc153c04f2e432adf930554a6778b453e317f123928f67e57e8a2359
-
Filesize
218B
MD5d9c7e7ea5d8dc4f67500e8e0b396ea30
SHA1ebbe8c0bded6a35f43eda90be8bf459e56f599fa
SHA2563bef2e0d815fa015a92c875d82596bc2be7940f3ce465703c0e1b70826e3e2c9
SHA5125bf882da31163562cbfd2a3afa18f0ceed0f8abf242f697d932ddaf747ec7bc62322f4c6f80c2156baec23e864a296d52ba5cc8c46ea558c0a1adb615b3d6118
-
Filesize
218B
MD517baadae1fde3c6c4ad454c18f0d418c
SHA17eea18280647d295d393d8e9e336c98ac7dd2682
SHA2569d5e8aba95c5c439536819d69ef66aca02627221c42ec465cf32e77a47727ab5
SHA5129e913eb435548bd9f64b8a0e078323a8765ec0b04a294271518861e53a253a419c1bce565bd6533d84e6ae1dd3bbb3117e86eeffad5b3c8b9146f7afe2317ce6
-
Filesize
218B
MD55882a9574e788d6915dd61fc631c7176
SHA126e1af49a90a73d8c4a06443ea7deb66e22a404b
SHA2566a2155dc84b08cc2191670e6b735d0ee52a95854668b67ce816c8b95484467ba
SHA512e4f534dd3cf720f617b7ee9bb360ad58d3c0780b78b717fd6bf5ddff45c71aadee920160c9019e2bdb96a1d2cc380a158422c51830d60216278af19145c0a408
-
Filesize
218B
MD5da5760fc4bc5406150f787114f338a28
SHA1acff0541a211c3a57c0578e03237bf1d93e5ef78
SHA256e1cd5d7f4322c9f7220408fc5ddbe29eea6ee89aed8b3481fd9fd155d3f9144a
SHA512685fada63ea111378d8942c7baba00a4da017bcb7b1d92622ecd6d044f13a32bb1b728b571abeee414a1677e3a1baccd4b62ec3b1ad6b90d865b3f08ce97bc07
-
Filesize
218B
MD51057845872103b2324580f31d892d0a0
SHA179ffba7f5abb97c2fb8f3786ab5ae39cb9740e7d
SHA256f9b674b24cc20439a9fd53037c63fdbe05a7305dbea0c23762a7c30a4936aef0
SHA512e62233ee131084b34318fa3458340057c9403ece98430da011f0d8c6d6d9cae6af00c38a585247ae4745087ab5a33f8b1b8d453dd16e0188028923e63d1b7c42
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56ad8a28cc577674bb1535af95ae63f91
SHA171a6ef9853f1ecc8222c7e276867476728d2dac1
SHA25615f64acefa3c9d4468e13911cc651e79550c129bc5a52e2db0c29dc8451b71a4
SHA512ccd09a5ae41d0763382394a156868d0c10b2cdcebcfa5906cedf1f4bf43fba90b242eaaddb1b9188bb91a33986586481365eb1bd472dbe3987c73d0a65033e2e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394