Analysis
-
max time kernel
141s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 01:49
Behavioral task
behavioral1
Sample
JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe
-
Size
1.3MB
-
MD5
31cd6d1e3ad6e1f663f58cde4001cb19
-
SHA1
e685f9a44bb921e0f4c34338b1a22dd3fd2230b2
-
SHA256
38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04
-
SHA512
70cf2ca610f251d94a98f06d358d2a1af31ba01836e7f2761bb1ff2c3b605035966d9c0d312f0575e67e6625f7e36bce3a8b3f1d54c17fcb6d1a16706d29aeca
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 480 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2572 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016e1d-9.dat dcrat behavioral1/memory/2988-13-0x00000000002C0000-0x00000000003D0000-memory.dmp dcrat behavioral1/memory/1824-150-0x0000000000870000-0x0000000000980000-memory.dmp dcrat behavioral1/memory/2128-210-0x0000000000960000-0x0000000000A70000-memory.dmp dcrat behavioral1/memory/264-270-0x00000000002B0000-0x00000000003C0000-memory.dmp dcrat behavioral1/memory/1152-330-0x0000000000C10000-0x0000000000D20000-memory.dmp dcrat behavioral1/memory/2580-391-0x0000000000FF0000-0x0000000001100000-memory.dmp dcrat behavioral1/memory/764-510-0x00000000011E0000-0x00000000012F0000-memory.dmp dcrat behavioral1/memory/1884-629-0x0000000000100000-0x0000000000210000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2324 powershell.exe 2792 powershell.exe 2860 powershell.exe 2712 powershell.exe 2720 powershell.exe 2600 powershell.exe 2552 powershell.exe 2076 powershell.exe 2968 powershell.exe 2644 powershell.exe 2856 powershell.exe 2748 powershell.exe 2700 powershell.exe 1900 powershell.exe 2780 powershell.exe 2756 powershell.exe 2432 powershell.exe 2664 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2988 DllCommonsvc.exe 1824 csrss.exe 2128 csrss.exe 264 csrss.exe 1152 csrss.exe 2580 csrss.exe 1868 csrss.exe 764 csrss.exe 1924 csrss.exe 1884 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 2772 cmd.exe 2772 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 29 raw.githubusercontent.com 4 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\088424020bedd6 DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Adobe\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\conhost.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\27d1bcfc3c54e0 DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\ehome\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\ehome\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Windows\rescache\rc0006\audiodg.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\it-IT\services.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\it-IT\c5b4cb5e9653cc DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1676 schtasks.exe 2204 schtasks.exe 2128 schtasks.exe 1208 schtasks.exe 480 schtasks.exe 684 schtasks.exe 2124 schtasks.exe 2976 schtasks.exe 2064 schtasks.exe 1936 schtasks.exe 2464 schtasks.exe 2072 schtasks.exe 1592 schtasks.exe 2352 schtasks.exe 1600 schtasks.exe 1712 schtasks.exe 3024 schtasks.exe 2280 schtasks.exe 2788 schtasks.exe 1252 schtasks.exe 2912 schtasks.exe 2316 schtasks.exe 1880 schtasks.exe 2104 schtasks.exe 1212 schtasks.exe 3068 schtasks.exe 2796 schtasks.exe 2056 schtasks.exe 1732 schtasks.exe 1348 schtasks.exe 1824 schtasks.exe 1812 schtasks.exe 2380 schtasks.exe 2832 schtasks.exe 2112 schtasks.exe 1972 schtasks.exe 1664 schtasks.exe 2028 schtasks.exe 1316 schtasks.exe 2332 schtasks.exe 548 schtasks.exe 2184 schtasks.exe 844 schtasks.exe 568 schtasks.exe 2956 schtasks.exe 3012 schtasks.exe 2420 schtasks.exe 3064 schtasks.exe 2412 schtasks.exe 1520 schtasks.exe 2164 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2988 DllCommonsvc.exe 2988 DllCommonsvc.exe 2988 DllCommonsvc.exe 2988 DllCommonsvc.exe 2988 DllCommonsvc.exe 2700 powershell.exe 2860 powershell.exe 1900 powershell.exe 2432 powershell.exe 2600 powershell.exe 2968 powershell.exe 2712 powershell.exe 2756 powershell.exe 2552 powershell.exe 2780 powershell.exe 2792 powershell.exe 2324 powershell.exe 2644 powershell.exe 2664 powershell.exe 2748 powershell.exe 2856 powershell.exe 2076 powershell.exe 2720 powershell.exe 1824 csrss.exe 2128 csrss.exe 264 csrss.exe 1152 csrss.exe 2580 csrss.exe 1868 csrss.exe 764 csrss.exe 1924 csrss.exe 1884 csrss.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2988 DllCommonsvc.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2856 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 1824 csrss.exe Token: SeDebugPrivilege 2128 csrss.exe Token: SeDebugPrivilege 264 csrss.exe Token: SeDebugPrivilege 1152 csrss.exe Token: SeDebugPrivilege 2580 csrss.exe Token: SeDebugPrivilege 1868 csrss.exe Token: SeDebugPrivilege 764 csrss.exe Token: SeDebugPrivilege 1924 csrss.exe Token: SeDebugPrivilege 1884 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1900 wrote to memory of 2708 1900 JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe 30 PID 1900 wrote to memory of 2708 1900 JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe 30 PID 1900 wrote to memory of 2708 1900 JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe 30 PID 1900 wrote to memory of 2708 1900 JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe 30 PID 2708 wrote to memory of 2772 2708 WScript.exe 31 PID 2708 wrote to memory of 2772 2708 WScript.exe 31 PID 2708 wrote to memory of 2772 2708 WScript.exe 31 PID 2708 wrote to memory of 2772 2708 WScript.exe 31 PID 2772 wrote to memory of 2988 2772 cmd.exe 33 PID 2772 wrote to memory of 2988 2772 cmd.exe 33 PID 2772 wrote to memory of 2988 2772 cmd.exe 33 PID 2772 wrote to memory of 2988 2772 cmd.exe 33 PID 2988 wrote to memory of 2756 2988 DllCommonsvc.exe 86 PID 2988 wrote to memory of 2756 2988 DllCommonsvc.exe 86 PID 2988 wrote to memory of 2756 2988 DllCommonsvc.exe 86 PID 2988 wrote to memory of 2700 2988 DllCommonsvc.exe 87 PID 2988 wrote to memory of 2700 2988 DllCommonsvc.exe 87 PID 2988 wrote to memory of 2700 2988 DllCommonsvc.exe 87 PID 2988 wrote to memory of 1900 2988 DllCommonsvc.exe 88 PID 2988 wrote to memory of 1900 2988 DllCommonsvc.exe 88 PID 2988 wrote to memory of 1900 2988 DllCommonsvc.exe 88 PID 2988 wrote to memory of 2644 2988 DllCommonsvc.exe 89 PID 2988 wrote to memory of 2644 2988 DllCommonsvc.exe 89 PID 2988 wrote to memory of 2644 2988 DllCommonsvc.exe 89 PID 2988 wrote to memory of 2856 2988 DllCommonsvc.exe 90 PID 2988 wrote to memory of 2856 2988 DllCommonsvc.exe 90 PID 2988 wrote to memory of 2856 2988 DllCommonsvc.exe 90 PID 2988 wrote to memory of 2780 2988 DllCommonsvc.exe 91 PID 2988 wrote to memory of 2780 2988 DllCommonsvc.exe 91 PID 2988 wrote to memory of 2780 2988 DllCommonsvc.exe 91 PID 2988 wrote to memory of 2432 2988 DllCommonsvc.exe 92 PID 2988 wrote to memory of 2432 2988 DllCommonsvc.exe 92 PID 2988 wrote to memory of 2432 2988 DllCommonsvc.exe 92 PID 2988 wrote to memory of 2792 2988 DllCommonsvc.exe 93 PID 2988 wrote to memory of 2792 2988 DllCommonsvc.exe 93 PID 2988 wrote to memory of 2792 2988 DllCommonsvc.exe 93 PID 2988 wrote to memory of 2748 2988 DllCommonsvc.exe 94 PID 2988 wrote to memory of 2748 2988 DllCommonsvc.exe 94 PID 2988 wrote to memory of 2748 2988 DllCommonsvc.exe 94 PID 2988 wrote to memory of 2860 2988 DllCommonsvc.exe 96 PID 2988 wrote to memory of 2860 2988 DllCommonsvc.exe 96 PID 2988 wrote to memory of 2860 2988 DllCommonsvc.exe 96 PID 2988 wrote to memory of 2712 2988 DllCommonsvc.exe 97 PID 2988 wrote to memory of 2712 2988 DllCommonsvc.exe 97 PID 2988 wrote to memory of 2712 2988 DllCommonsvc.exe 97 PID 2988 wrote to memory of 2720 2988 DllCommonsvc.exe 98 PID 2988 wrote to memory of 2720 2988 DllCommonsvc.exe 98 PID 2988 wrote to memory of 2720 2988 DllCommonsvc.exe 98 PID 2988 wrote to memory of 2664 2988 DllCommonsvc.exe 99 PID 2988 wrote to memory of 2664 2988 DllCommonsvc.exe 99 PID 2988 wrote to memory of 2664 2988 DllCommonsvc.exe 99 PID 2988 wrote to memory of 2600 2988 DllCommonsvc.exe 100 PID 2988 wrote to memory of 2600 2988 DllCommonsvc.exe 100 PID 2988 wrote to memory of 2600 2988 DllCommonsvc.exe 100 PID 2988 wrote to memory of 2552 2988 DllCommonsvc.exe 101 PID 2988 wrote to memory of 2552 2988 DllCommonsvc.exe 101 PID 2988 wrote to memory of 2552 2988 DllCommonsvc.exe 101 PID 2988 wrote to memory of 2076 2988 DllCommonsvc.exe 102 PID 2988 wrote to memory of 2076 2988 DllCommonsvc.exe 102 PID 2988 wrote to memory of 2076 2988 DllCommonsvc.exe 102 PID 2988 wrote to memory of 2324 2988 DllCommonsvc.exe 103 PID 2988 wrote to memory of 2324 2988 DllCommonsvc.exe 103 PID 2988 wrote to memory of 2324 2988 DllCommonsvc.exe 103 PID 2988 wrote to memory of 2968 2988 DllCommonsvc.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\it-IT\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdvQL68WQX.bat"5⤵PID:2308
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1160
-
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"7⤵PID:2104
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2728
-
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"9⤵PID:2416
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2940
-
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"11⤵PID:2112
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1760
-
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"13⤵PID:1548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:940
-
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"15⤵PID:2916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3004
-
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"17⤵PID:3036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2244
-
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"19⤵PID:1956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1808
-
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"21⤵PID:2548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2400
-
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ehome\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\SendTo\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\it-IT\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\it-IT\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\it-IT\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5632d3a98bfc6cfaff5643a484673d92e
SHA172974a34f36ee8ff9c6d20c52036cfca37f264ec
SHA2568892d8c715d499527a534040d28c68a36c8346d9c21df21f845b7bc6378f80f5
SHA5128e7894fb79488cf7bf24e228bda413693c022cbf75277be56afb7ee8a77b87c296ef0f0817fd619ea9c984f5e9db797bba82563bfcef665bdc5bfcd04e7b4023
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f19f9ef308740b9925bd40fd8e9b88ab
SHA19644fd7e1df5b13df453eaa8e0941cb0d76d569a
SHA256a6807d701bc8bb4a7db9989995e055586c657e81a545666581d8ae7ab1974902
SHA5122ec967bf78fc2cd6ef93c08d25999219ea970b885966e7aafc378f479c88f2fd6f2ffea87b075a65bc59c72d56d02daeb6a5e8005b64f625b074082d44cacbcf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD531829ded67aa96f0e05b041e3f92ab6e
SHA1349a2bfd9c762b1d47d6f271066a2cdeb7fa2fe8
SHA256c16aa2b385c46cb1095684fd1d86985b0aa925c9b2b712ac4abc6b4a075ad103
SHA512df981f2e3afad54104e6af33a6ac6706ed60e4205c87d122b31f71045350ed11f6a15902339055ae770ef8117ee0db9c186ce0f2eea38aef356dab961238e8ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5966c2dbec10315632bcec791298144b0
SHA10af216b37866b032c5df25a919fcfbc534bbd888
SHA256697639d8389766745162b0334f6dbad422ac5118fdbd986c15c307db51cb309b
SHA5126ee78e8cdd1d752709e13249ee440e07a262b96fe093e0dc8258feb3f327fb188a7208d7d683d7bda2979852429d2ed6032088a198e3c1047eb1b97d390a65b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c0934006a797e92bf6b4e26fbd25e8d3
SHA12fee85dfeec07c9ab5df04b90a381fb7c88c1321
SHA256a61dadb0f2a3a7ee4a7985028361bda32f729b50a5dc3ec0db410506c1812616
SHA512bb0e3936f735f4edcd6229c6a49fa92cef8e32bc7b3b04988a986d5e59876ad96a3bdf733a301bc633b16ca671d0ecfa6b65688570b673b90a7c7787d1a239b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d210a677ae83a54bed4c1addcc1f508
SHA1bd52e5ffb46df5b1cc75f944473579c439a6ae8b
SHA25683f6127891411af38b8f25cd6789e6720236c2eb7f90af4dfd99db0b869e7e16
SHA5122ab073379dddfe2438116ed33ac111f5008c197fdac09c39d52cabb865158a83f8d0fcd14cb5f8f833b1fa98b0734c1ba89fd4ea268d305dbf9150b5d9e6c981
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e774e32abba504f418f9c392b93d9cf0
SHA11ffebd65c622b579ea958255ad25dcc5cdbe005b
SHA256ff5512a3386e6f77c94ce931a33b36fbe4fc450f2e0d13f905c00df914686584
SHA512145e938eb08b2d729858f3da5a1092805aaeef10321786697dbc13f3d74040da53be2a0da3f5a2090f5656789b659093facbc3a50a68aacd25f7d828e77dc913
-
Filesize
246B
MD5d9aed5e720fc264c40bf0a5cd1b1a119
SHA149ed171691c8cc7e404d3f0390292c262e96fbc5
SHA256221ac36ef9cedb17dd47a96670f2460b1381a382a531087da9a0a5799f786ef2
SHA5126672334b3a6f55568d0d0049955cb1ec8bf1745abc588e661fc766f98b4ce1536b97ea2cf7d606a7e1a641f513d1b8deff819ea6caf2c7732a713db0b9eb1f66
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
246B
MD566a764f61eb8fc2db47985a3a9dde0aa
SHA1ee4f5bc2f488649e8b351e3bfeb28b3a1c9962c4
SHA2562dce675c63aadd131dd09a8ce5f87ab4a4e9b06de013bad490727fe27d14e5a9
SHA5129e9e78d1d2553af64a7ac681b64f838d35df3377237deb324d3fb491c06fc2576dc63c69f911a07517bf4ad5215a0443e0eff8fe25b9f3fd3c5b6fb87409e6ea
-
Filesize
246B
MD5b961b76d1d54d41df78b65365a2014a4
SHA1b0623f00ed3bdff08f189159d05dac8096add1ec
SHA2567611347e6c55a917331892272be0fb31393cfc5aca008e4d2c176c9372fa72d4
SHA51241e222dc01678fb1f4954e807ad26ff470d8c03d801e7161e4262ba376555108479230b2ecb79965a8ce5352ff15c7814ab04124baf6255ea88ec8c617870776
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
246B
MD512fd04a2b286a331afd74ae2351ad5fb
SHA1fa70385cb5cea73445f42e5f983b0b86a27d8199
SHA2569559241758f39b8316be96829809368ed5596abcff21122183257e0fc3ac70d7
SHA51250f658fb253f4ac9bcb7bcda441316adee54bbf56ae0dee2747c4df5bc4ae93f951938dd91a78b05aeb6cee0b85155445cb6d27e64205d9e9b6825a1c2b0d65d
-
Filesize
246B
MD5586b87feb3e214a187c07c829009e5ab
SHA1bb93f38202f1d2edcd4a10cb423aa486de27b89a
SHA2567a62e9335c236d634e2570a87bea42d8ea332b6a8c81fd94b280c49ae80fd80f
SHA51215effaec8ebe237b2d4564dc73c27d6401e644e676c740566cd588bcd0ddf50f43c13a60b08e24a0cde8c3c7a2b7a19254b5effa53c13723af3f516b7da8f66c
-
Filesize
246B
MD5a8c1d50cd2dde414c132911b58d12e91
SHA10c397388383055c87114950bc8ab17c61fdec591
SHA2567b0d1a470f1e1c3452fed0aead52b45a6fdc9bb18c605b295c43316f2562fbde
SHA5129e9d1f2cac78e5cce620edf2c8832d309b917266f4f21df81b64ba85247fb5d9a9f082532636f948f2cefc79114ee385beac15a5833bafb035d8e6c1fab03a45
-
Filesize
246B
MD52a6566155144eee9108a7e515030e28a
SHA19ff641fe474e8a0544b285b6002bbe02abb65d29
SHA2561c93097e752c9e410921fcc660f55fafa807e13968e7624c5560c18fe12f8ae1
SHA5124c29de08a2e86d05366b9301e45ddcdd99cf4d5f6722aa7ea281bc8a570af2c5b2cb717bf6ede091daf69e4c680e465b30651d3611e297b35370b00f12803200
-
Filesize
246B
MD5cd7b5ffa115c6b813dc834fc71ed7c4b
SHA1b045267d7c60ee56826b763d794c759e344ac7c6
SHA256ccfab1a288a34085aad6a02e280a9d10c6f155f9a13a998eeb7699603cc3c945
SHA5125f9b87f2b05ffff4c702cb780514b15a7a75469bcd07c4ed71b0e889a934210e156465579496bbdc473f0645d67ebe2c1d4a974a8854e2e232bb26e661f72138
-
Filesize
246B
MD5ee16c0d79b3ed8ae2f5a15a928eba92a
SHA17a036489989c77013535e66bf57e25a1efef047f
SHA256eebacbe44c9b3211d29b8106a3f2bf855021185bcdffd8ca82b36696602b7c80
SHA5128e3d05e27bdd87bc825a41a0656dc56ee46c5de7ed220bb6fe102a595aeb71c0bb79e386a1ee9f3d6ed2f38525f23d3e25b9372ddd4b9acc7dfd3d155b8d0a50
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD549d52b4d692fd368dcb93fbfd967ed3c
SHA1b0e155faf25feb334ddad4225220ea5477560d4c
SHA256338289d1c9b6756726b3d02b708eff36f16b3971ca2241b6debc4c92139ff18c
SHA512b457d7b1ca07c7a3f3e3b0f42b0cf46c65bb600bada008c55ec489d7a6a19c35795de7afd15fda7c66f25cf3d1b1d064e1215f7599c2b38ba6482cce096f9b10
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394