Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:32
Behavioral task
behavioral1
Sample
JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe
-
Size
1.3MB
-
MD5
5b52884d4c704aa839b386beefdf6d30
-
SHA1
5eab9bc8fb34c5e024d4cb6e1234ba0f4a6c3e6d
-
SHA256
6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837
-
SHA512
ff3354401c7a2f3fac284dcf72bad3b67c4de49fca3849003895798a347ca484b6503132f7b1807a106af6ec4e635dfc07caf6d9f5d2083de5e6e79005d0ba8c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 472 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2516 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2516 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000014bda-9.dat dcrat behavioral1/memory/2644-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp dcrat behavioral1/memory/328-142-0x0000000000830000-0x0000000000940000-memory.dmp dcrat behavioral1/memory/2336-201-0x0000000000370000-0x0000000000480000-memory.dmp dcrat behavioral1/memory/336-261-0x0000000000A80000-0x0000000000B90000-memory.dmp dcrat behavioral1/memory/2588-321-0x0000000000E80000-0x0000000000F90000-memory.dmp dcrat behavioral1/memory/944-381-0x00000000013E0000-0x00000000014F0000-memory.dmp dcrat behavioral1/memory/2524-500-0x00000000000C0000-0x00000000001D0000-memory.dmp dcrat behavioral1/memory/1800-560-0x0000000000C80000-0x0000000000D90000-memory.dmp dcrat behavioral1/memory/1044-620-0x0000000001110000-0x0000000001220000-memory.dmp dcrat behavioral1/memory/2580-680-0x00000000003A0000-0x00000000004B0000-memory.dmp dcrat behavioral1/memory/1480-740-0x0000000001120000-0x0000000001230000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2188 powershell.exe 2408 powershell.exe 2356 powershell.exe 2068 powershell.exe 1120 powershell.exe 2104 powershell.exe 2652 powershell.exe 2704 powershell.exe 2776 powershell.exe 3036 powershell.exe 2596 powershell.exe 1584 powershell.exe 1688 powershell.exe 2900 powershell.exe 1228 powershell.exe 1576 powershell.exe 1716 powershell.exe 3056 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2644 DllCommonsvc.exe 328 wininit.exe 2336 wininit.exe 336 wininit.exe 2588 wininit.exe 944 wininit.exe 2692 wininit.exe 2524 wininit.exe 1800 wininit.exe 1044 wininit.exe 2580 wininit.exe 1480 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 2784 cmd.exe 2784 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 13 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 22 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\taskhost.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Adobe\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\DigitalLocker\it-IT\5940a34987c991 DllCommonsvc.exe File created C:\Windows\Fonts\csrss.exe DllCommonsvc.exe File created C:\Windows\Fonts\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\ehome\lsass.exe DllCommonsvc.exe File created C:\Windows\ehome\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\rescache\rc0006\audiodg.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\it-IT\dllhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2536 schtasks.exe 2340 schtasks.exe 2928 schtasks.exe 2840 schtasks.exe 1304 schtasks.exe 1792 schtasks.exe 1924 schtasks.exe 1660 schtasks.exe 1620 schtasks.exe 2752 schtasks.exe 2336 schtasks.exe 2296 schtasks.exe 1244 schtasks.exe 1496 schtasks.exe 1420 schtasks.exe 1912 schtasks.exe 2492 schtasks.exe 472 schtasks.exe 1964 schtasks.exe 2348 schtasks.exe 464 schtasks.exe 888 schtasks.exe 2152 schtasks.exe 2980 schtasks.exe 2532 schtasks.exe 1976 schtasks.exe 1264 schtasks.exe 2740 schtasks.exe 2092 schtasks.exe 1224 schtasks.exe 2288 schtasks.exe 2432 schtasks.exe 2524 schtasks.exe 1056 schtasks.exe 2864 schtasks.exe 1104 schtasks.exe 760 schtasks.exe 1028 schtasks.exe 1752 schtasks.exe 2540 schtasks.exe 2816 schtasks.exe 2468 schtasks.exe 2424 schtasks.exe 1148 schtasks.exe 944 schtasks.exe 2428 schtasks.exe 2352 schtasks.exe 664 schtasks.exe 788 schtasks.exe 1552 schtasks.exe 2332 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2644 DllCommonsvc.exe 2644 DllCommonsvc.exe 2644 DllCommonsvc.exe 1688 powershell.exe 1716 powershell.exe 2900 powershell.exe 2704 powershell.exe 1576 powershell.exe 2596 powershell.exe 3056 powershell.exe 1120 powershell.exe 1584 powershell.exe 2652 powershell.exe 2104 powershell.exe 2776 powershell.exe 2188 powershell.exe 3036 powershell.exe 2408 powershell.exe 2068 powershell.exe 2356 powershell.exe 328 wininit.exe 2336 wininit.exe 336 wininit.exe 2588 wininit.exe 944 wininit.exe 2692 wininit.exe 2524 wininit.exe 1800 wininit.exe 1044 wininit.exe 2580 wininit.exe 1480 wininit.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2644 DllCommonsvc.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 1120 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 328 wininit.exe Token: SeDebugPrivilege 2336 wininit.exe Token: SeDebugPrivilege 336 wininit.exe Token: SeDebugPrivilege 2588 wininit.exe Token: SeDebugPrivilege 944 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2524 wininit.exe Token: SeDebugPrivilege 1800 wininit.exe Token: SeDebugPrivilege 1044 wininit.exe Token: SeDebugPrivilege 2580 wininit.exe Token: SeDebugPrivilege 1480 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2676 1688 JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe 28 PID 1688 wrote to memory of 2676 1688 JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe 28 PID 1688 wrote to memory of 2676 1688 JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe 28 PID 1688 wrote to memory of 2676 1688 JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe 28 PID 2676 wrote to memory of 2784 2676 WScript.exe 29 PID 2676 wrote to memory of 2784 2676 WScript.exe 29 PID 2676 wrote to memory of 2784 2676 WScript.exe 29 PID 2676 wrote to memory of 2784 2676 WScript.exe 29 PID 2784 wrote to memory of 2644 2784 cmd.exe 31 PID 2784 wrote to memory of 2644 2784 cmd.exe 31 PID 2784 wrote to memory of 2644 2784 cmd.exe 31 PID 2784 wrote to memory of 2644 2784 cmd.exe 31 PID 2644 wrote to memory of 2408 2644 DllCommonsvc.exe 84 PID 2644 wrote to memory of 2408 2644 DllCommonsvc.exe 84 PID 2644 wrote to memory of 2408 2644 DllCommonsvc.exe 84 PID 2644 wrote to memory of 1228 2644 DllCommonsvc.exe 85 PID 2644 wrote to memory of 1228 2644 DllCommonsvc.exe 85 PID 2644 wrote to memory of 1228 2644 DllCommonsvc.exe 85 PID 2644 wrote to memory of 1576 2644 DllCommonsvc.exe 86 PID 2644 wrote to memory of 1576 2644 DllCommonsvc.exe 86 PID 2644 wrote to memory of 1576 2644 DllCommonsvc.exe 86 PID 2644 wrote to memory of 3036 2644 DllCommonsvc.exe 88 PID 2644 wrote to memory of 3036 2644 DllCommonsvc.exe 88 PID 2644 wrote to memory of 3036 2644 DllCommonsvc.exe 88 PID 2644 wrote to memory of 1716 2644 DllCommonsvc.exe 89 PID 2644 wrote to memory of 1716 2644 DllCommonsvc.exe 89 PID 2644 wrote to memory of 1716 2644 DllCommonsvc.exe 89 PID 2644 wrote to memory of 2900 2644 DllCommonsvc.exe 92 PID 2644 wrote to memory of 2900 2644 DllCommonsvc.exe 92 PID 2644 wrote to memory of 2900 2644 DllCommonsvc.exe 92 PID 2644 wrote to memory of 2068 2644 DllCommonsvc.exe 93 PID 2644 wrote to memory of 2068 2644 DllCommonsvc.exe 93 PID 2644 wrote to memory of 2068 2644 DllCommonsvc.exe 93 PID 2644 wrote to memory of 2356 2644 DllCommonsvc.exe 94 PID 2644 wrote to memory of 2356 2644 DllCommonsvc.exe 94 PID 2644 wrote to memory of 2356 2644 DllCommonsvc.exe 94 PID 2644 wrote to memory of 3056 2644 DllCommonsvc.exe 95 PID 2644 wrote to memory of 3056 2644 DllCommonsvc.exe 95 PID 2644 wrote to memory of 3056 2644 DllCommonsvc.exe 95 PID 2644 wrote to memory of 1688 2644 DllCommonsvc.exe 96 PID 2644 wrote to memory of 1688 2644 DllCommonsvc.exe 96 PID 2644 wrote to memory of 1688 2644 DllCommonsvc.exe 96 PID 2644 wrote to memory of 1120 2644 DllCommonsvc.exe 97 PID 2644 wrote to memory of 1120 2644 DllCommonsvc.exe 97 PID 2644 wrote to memory of 1120 2644 DllCommonsvc.exe 97 PID 2644 wrote to memory of 2188 2644 DllCommonsvc.exe 98 PID 2644 wrote to memory of 2188 2644 DllCommonsvc.exe 98 PID 2644 wrote to memory of 2188 2644 DllCommonsvc.exe 98 PID 2644 wrote to memory of 1584 2644 DllCommonsvc.exe 99 PID 2644 wrote to memory of 1584 2644 DllCommonsvc.exe 99 PID 2644 wrote to memory of 1584 2644 DllCommonsvc.exe 99 PID 2644 wrote to memory of 2776 2644 DllCommonsvc.exe 101 PID 2644 wrote to memory of 2776 2644 DllCommonsvc.exe 101 PID 2644 wrote to memory of 2776 2644 DllCommonsvc.exe 101 PID 2644 wrote to memory of 2596 2644 DllCommonsvc.exe 103 PID 2644 wrote to memory of 2596 2644 DllCommonsvc.exe 103 PID 2644 wrote to memory of 2596 2644 DllCommonsvc.exe 103 PID 2644 wrote to memory of 2704 2644 DllCommonsvc.exe 104 PID 2644 wrote to memory of 2704 2644 DllCommonsvc.exe 104 PID 2644 wrote to memory of 2704 2644 DllCommonsvc.exe 104 PID 2644 wrote to memory of 2652 2644 DllCommonsvc.exe 106 PID 2644 wrote to memory of 2652 2644 DllCommonsvc.exe 106 PID 2644 wrote to memory of 2652 2644 DllCommonsvc.exe 106 PID 2644 wrote to memory of 2104 2644 DllCommonsvc.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:1228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\it-IT\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jpozkiw3ki.bat"5⤵PID:2556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1868
-
-
C:\Users\Default User\wininit.exe"C:\Users\Default User\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"7⤵PID:1504
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1264
-
-
C:\Users\Default User\wininit.exe"C:\Users\Default User\wininit.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"9⤵PID:3036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1368
-
-
C:\Users\Default User\wininit.exe"C:\Users\Default User\wininit.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"11⤵PID:1604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2000
-
-
C:\Users\Default User\wininit.exe"C:\Users\Default User\wininit.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat"13⤵PID:2328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:928
-
-
C:\Users\Default User\wininit.exe"C:\Users\Default User\wininit.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"15⤵PID:2712
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:960
-
-
C:\Users\Default User\wininit.exe"C:\Users\Default User\wininit.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"17⤵PID:2352
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2368
-
-
C:\Users\Default User\wininit.exe"C:\Users\Default User\wininit.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat"19⤵PID:1488
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2332
-
-
C:\Users\Default User\wininit.exe"C:\Users\Default User\wininit.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"21⤵PID:2952
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2552
-
-
C:\Users\Default User\wininit.exe"C:\Users\Default User\wininit.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"23⤵PID:2852
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2892
-
-
C:\Users\Default User\wininit.exe"C:\Users\Default User\wininit.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"25⤵PID:2044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2544
-
-
C:\Users\Default User\wininit.exe"C:\Users\Default User\wininit.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ehome\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\it-IT\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2fa4a9c8c76cf516ba540144619250a
SHA1780ea8159552ec8c67bbef50255084fccc76700d
SHA25652a5b3be792c88a9ff579bd93a107e461cf9ac2021556bc4983f16c033e9fb87
SHA512b7c3040146ea8645f573b94e7a533e5c574627b913f9fe27c07773e81c54f05d8f773e654c78eb5763e0b1f542bf414eec60ebd9ec8896e8e9384bc80434d869
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53b58b41981f4f6c856530b08ef9ea801
SHA16e5a641333ae9bd8a0cd36dd1ed9102c55c0246a
SHA2569e16e2607bd3e87aa261f7d7da67a935e9e98b16224128271843bb0da87ee824
SHA512f15131f9b498f67affcc204e5515728e579ced9390ccde10ded1de33dc9d1fdbadfbbf3a404566d48fb093637b75bd18d3537606f4bfdd9bf18ce715a383f77a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d20871ddebdb0e46a8af3e5853e1b3fe
SHA1ed0147d878fb0ac96845fecc9bed43ddd52f4163
SHA2562481c1534f68cf0f066acfb08ca5c15456f79ceb1243e89635d5caac43e5424d
SHA512f284d6f1b0f9941f3858bccbe6cefed3948e5405386c879184de094ec03d7fb75cf490c1d6b90b12ed01fda53d4e47ba65f212a305ccb971de073f5517f37df8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ad1cfe606b373babb3e7b11c2c5dff8f
SHA1d6d73a0d3e2dba914f563645e4ff63e5d94240c3
SHA2565affa420cecf5d07ec01b19e5846c4dc7b0e50085f8e26120296626a69788235
SHA51200fc6c143338e15a73ac25a048177879d8c304150a5735162f9339e7d8f041048a9f79c90d7de6bb20a633d954a60b5e37ca53dc3eff86d2937ebe19fddcfcb0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52269acb9b0c4e156ab6c208fe8b81f0c
SHA16469de101c73761884ceb0e5f8904dbe14763e07
SHA2567ee7d912aeb8032b67911c3296a856b277963833bf8561f30a37eb35d37fb015
SHA51252d4222da9e9db4012863f8b90e2025f6c917a81bf84953eeaf180f549c00ed46911ad16bf6457de2cda386c108f5267c0107326a71ec648b7ef54445294a8a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d9a05a9c3de447e98fd39a5521e31615
SHA13c45f6101bed0fae105997459d9050577b8cc95d
SHA2560f3b22b572dd17f86666084ad5a696ebc267c035e64c86cf6e5abb0dceb0da09
SHA5129cb3113fe1e6ba303f0b9042dba08d3941069412f42285e14c0f49eb15f31fdae40e5cccab49be5c4ead15ccfff8fdef017ee578e81ca2b07ff772b923544d30
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c980a789a96aea3710494172cbf35c9f
SHA191a9e32514afde6a7a38c4e822672ff3a510b047
SHA2569b00c7aece109738c921f226acea45c5ffb3677dab522e9d69f14b3af27a27bc
SHA512d2d62dde80c5ea1e6f3bd7492b22e09c02d68b987dc75f0bef2cf386028637e0d5d0139ec313f665b273f43de3e8b81802a66a8b3c8393f2d6e42e98c03f7c8f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b6761196075a15878f8943f84a7afc9c
SHA148c132c267c25eb4ab47c3ddc38833c5f208ad15
SHA256cc3279c23c436d1145a5b05e34e332f60599b680153616626a11c64ed7990974
SHA5126eae9e99d3017e9c30a690fec1c49ecff6c314eea41439d7b25f5b6c37471467491cdc1cf923d447e0814d1dfee29f4f09e41e62d579070c6b1ff00191091a30
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59fe1ec2f215ddecd7467ac00dcbd27c3
SHA1be1e9af48efd7179bcf4ec779d158daec192eceb
SHA256b4287a74484a63bc2d20726ebc84d473a4697a5596eb76f7c9bb18e031dfc1fb
SHA5129a751eb10a5cd1676858f80d221954be7b75a28a6d4fa5e724e83148212866fda56a09de66edd7a306957bc01b17a34e29510f15f70606d17b1c4f359a60f621
-
Filesize
198B
MD59b630e441ac9dd33df986e576fc0d913
SHA1157658533a693df52b944720df0b60cdf60f612e
SHA2566ebe9c0b5f8f7ab34ee81b29d60a68474a5e2679d68611664302a9afdf9bd689
SHA512009d5f6608a7025be3c772b033b5168b2c73d4fad99995cf4f7138630a3435da9d883f8b709211c7fc0cb2fbc0f74b39d819113d0778a9a61c87b42ba710154c
-
Filesize
198B
MD5c2d7f289fb722fad9328241966fef5f2
SHA1990c8803eb78525425ee91e7a34fbe55ab79e12b
SHA25676f9c4382de0b5bd97b1a9c3387ddd8844ef74c5b5cbd7c4179e7689c49cba7a
SHA5123373d1f22267f15e5a1074696b04eea78dbd38db202b6a9ed4403cc51f1df499e1ed1a77248ac06669aad08856e7929b48b346bf6121f49ad4538198efeea340
-
Filesize
198B
MD5e960eec91dbd2a7037395207191ae583
SHA182b75e66899626dd1748060f8e74f29d115421a2
SHA2562dcb76988302ba74cb0c9dc6e0d0c42d21cfdd8ad177d9d390bb94dac63652ff
SHA512faed1c07030f7b0f8a225e76499f307919e60824dc20e290d3d61434a9fb64d7f742ee2a8b889084653cef092b2d35ce2b199234236799b329c16d5c707eafab
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
198B
MD58814c95d4bdfd016cf3031bcfd981f18
SHA17caae11067410bf35f1522b9b956979337df0a01
SHA256f140b24ed5b19caf86007b2770d7a06b0d6da4e745d44118111e22ec04fd70db
SHA5129f704105ab0922d2c47bbbaa159276f2b2020980869fb4168470fd7a3fdda3900fa2f1f4fc9d32aee5e3a21d5ab496947068cb4bd59ac237cc00c5544230500a
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
198B
MD5a5c908bc8fe709a3a836b4d7280bc64d
SHA1bcbd04826ba1c3995ad00b628a46021f26190889
SHA256cb125d853394fcfaebf6bd1805a9f0e3efc5b352e0a30fae545e829821f612e1
SHA5127333c082b370dbf1b3f361be148c7791a2a9d7357ed85625b24ef0ec8595c764e2443ef198eca456247a06b037dcf1fa4269dacd97fa561cd370561edd611181
-
Filesize
198B
MD51bf12767dd085341da4e19c4def121aa
SHA1c7036306aa5584b1449999b2fffa76fb7d9c8af3
SHA2567e389b87e36fa408d998f71dd5b1917d4719938e77ab1821bf69f021a6f1e4fa
SHA512a3b1e2b864641cae1462b5c8602664367bcc32889286014d5d8eb9cde029d2e6d2e6427fe7b6318bfaf0a11106ed6d5e15fed9190797b58a868165c8be3eae97
-
Filesize
198B
MD500e1b5bc5b4ba4081276d560f3fb464d
SHA18c449c27ada9e6d29ca2b5ca4df7fb9dda26e22c
SHA25680e1e154f5ed5492583d082aab327b895b376c4286ed1bd8c0e028798976eb01
SHA512a834aef8f405d3d969ed595e0b9d2a4433e7d4e6e60ea46f1d36c0113761ad04a97e3699f4c6c790cba2a40c1381e8705ee9381ebc2be5e3d6d1e9252f73611e
-
Filesize
198B
MD5ea15bafbf1a47188f860a7fee88c7b39
SHA1185c263d4c94e9003c330dfee1066ac0ed0d8ed0
SHA256c6a739a317b260e23d5986482977cadd1fdb4a290eb586b4577af4dbaf27abb5
SHA5126edf23348ad333478099b63d31bb4cbd3148d21af030e994111d6b9b9a5ee63df1e75c12de9207f1c51b6a6bf5facd9a20db8b57ccc4e69910cfd6bd66f533f9
-
Filesize
198B
MD5924b5f98b97936badb3209e112465ed4
SHA196d81f3d2598d7a50242270ea6deb76f0c272605
SHA25675a6a135e42ed0e4d318db5ffb5be1acd70eccf8d542cd92c7e28a060d0f2e45
SHA512fbdebd247d32e395cd20ab9cb62ba811e209635163d3ab14f1667cbaec17e56fb4cc66857e124e79210add0a59eb45fd8b12640fbfeb7526a594111fb3a72173
-
Filesize
198B
MD5b8633100190a6c728c5d95834682c31f
SHA17af11aee90a5949e96dc9378f194d26800eff177
SHA256f43431604e5e33724bf07ad53aebc6ace01ba19f100d98bcfc19871cd1f6d63d
SHA5123a9c816d0eb0cf48c28211475078e3500b7a1fb53b0d8ad6d6e85c7ef73f4ad0e68322448d95c2f14d9e47a3f85a04a30944815b24e789ba268a094ea0ceb6bc
-
Filesize
198B
MD53d2fe4ada936042de08eeb254594a847
SHA12ff116e453c30c821c0a02c92437043a7032b306
SHA25656115bb3c5af086eede889c63934761b3e0cadbb35f63e36ee92e649f738e014
SHA512db203f0649601c4686e85aef4afb75393564f087e7173d5d4adc131e85d378b7ffeafe372d37e19d1ccd3b7cee59fbbdf44324999b79275f17f6399cdef754c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5226c29e7df2f4a8abef8e67ddf491908
SHA1de72224e43c447ff52e7fccaac52ad27c353a8e8
SHA256e6896a1498da765782415c8acc4575d64a03bdd18ff89ef60e5c8934025b2e15
SHA5129e5b7507b52f9344748b8e320cb5be83d181b038e5a8edfc94edb65a228958dae4656ff7968bd31d51e4280eac4e8a63152edff5c506c39b56f2aa6630e27e50
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394