Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 01:52
Behavioral task
behavioral1
Sample
JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe
-
Size
1.3MB
-
MD5
6cbced217d07e41727a7754225ce67ba
-
SHA1
3b3edbb8773adcef702429d1fa9e70a993542a94
-
SHA256
81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5
-
SHA512
7fdeae1873a522ff033e55ee76fdf481a1504d2c7905ae73880488cb049aeb17cbea310a9cf899667d000556a013e2de2e5bbf0b77045e3834668c998f87f2d0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 300 2836 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000700000001939c-9.dat dcrat behavioral1/memory/2096-13-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat behavioral1/memory/2524-100-0x0000000000030000-0x0000000000140000-memory.dmp dcrat behavioral1/memory/3876-210-0x0000000000320000-0x0000000000430000-memory.dmp dcrat behavioral1/memory/3016-270-0x00000000009D0000-0x0000000000AE0000-memory.dmp dcrat behavioral1/memory/2020-330-0x0000000001130000-0x0000000001240000-memory.dmp dcrat behavioral1/memory/3468-449-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/3820-509-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/868-570-0x0000000000190000-0x00000000002A0000-memory.dmp dcrat behavioral1/memory/3076-630-0x0000000000F10000-0x0000000001020000-memory.dmp dcrat behavioral1/memory/2220-690-0x0000000001190000-0x00000000012A0000-memory.dmp dcrat behavioral1/memory/3312-750-0x00000000011C0000-0x00000000012D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2820 powershell.exe 2476 powershell.exe 2632 powershell.exe 2816 powershell.exe 2976 powershell.exe 3008 powershell.exe 2760 powershell.exe 2200 powershell.exe 1944 powershell.exe 2748 powershell.exe 2172 powershell.exe 2860 powershell.exe 2920 powershell.exe 2332 powershell.exe 2060 powershell.exe 2648 powershell.exe 2772 powershell.exe 2656 powershell.exe 2264 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2096 DllCommonsvc.exe 2524 dwm.exe 3876 dwm.exe 3016 dwm.exe 2020 dwm.exe 2016 dwm.exe 3468 dwm.exe 3820 dwm.exe 868 dwm.exe 3076 dwm.exe 2220 dwm.exe 3312 dwm.exe -
Loads dropped DLL 2 IoCs
pid Process 1688 cmd.exe 1688 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 15 raw.githubusercontent.com 18 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 36 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe DllCommonsvc.exe File created C:\Program Files\Java\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Internet Explorer\images\System.exe DllCommonsvc.exe File created C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\Java\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\images\27d1bcfc3c54e0 DllCommonsvc.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Windows\ShellNew\088424020bedd6 DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\5940a34987c991 DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\dllhost.exe DllCommonsvc.exe File created C:\Windows\ShellNew\conhost.exe DllCommonsvc.exe File created C:\Windows\addins\audiodg.exe DllCommonsvc.exe File created C:\Windows\addins\42af1c969fbb7b DllCommonsvc.exe File created C:\Windows\ShellNew\smss.exe DllCommonsvc.exe File created C:\Windows\ShellNew\69ddcba757bf72 DllCommonsvc.exe File created C:\Windows\Boot\DVD\EFI\en-US\dllhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1904 schtasks.exe 1464 schtasks.exe 2308 schtasks.exe 2220 schtasks.exe 868 schtasks.exe 2012 schtasks.exe 888 schtasks.exe 2072 schtasks.exe 1164 schtasks.exe 1084 schtasks.exe 2404 schtasks.exe 2032 schtasks.exe 1712 schtasks.exe 1620 schtasks.exe 1684 schtasks.exe 3004 schtasks.exe 2912 schtasks.exe 2716 schtasks.exe 2564 schtasks.exe 2596 schtasks.exe 1360 schtasks.exe 2268 schtasks.exe 1560 schtasks.exe 2672 schtasks.exe 2116 schtasks.exe 1968 schtasks.exe 1948 schtasks.exe 1268 schtasks.exe 832 schtasks.exe 1124 schtasks.exe 2804 schtasks.exe 2752 schtasks.exe 2468 schtasks.exe 2252 schtasks.exe 2788 schtasks.exe 2064 schtasks.exe 2184 schtasks.exe 2456 schtasks.exe 2960 schtasks.exe 1852 schtasks.exe 548 schtasks.exe 2408 schtasks.exe 620 schtasks.exe 876 schtasks.exe 2948 schtasks.exe 1244 schtasks.exe 2516 schtasks.exe 1516 schtasks.exe 2652 schtasks.exe 1708 schtasks.exe 1080 schtasks.exe 536 schtasks.exe 2360 schtasks.exe 300 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2096 DllCommonsvc.exe 2096 DllCommonsvc.exe 2096 DllCommonsvc.exe 2332 powershell.exe 2264 powershell.exe 2772 powershell.exe 2976 powershell.exe 2632 powershell.exe 2200 powershell.exe 2172 powershell.exe 2860 powershell.exe 2060 powershell.exe 2920 powershell.exe 2820 powershell.exe 2656 powershell.exe 1944 powershell.exe 2748 powershell.exe 2476 powershell.exe 2816 powershell.exe 2760 powershell.exe 2648 powershell.exe 3008 powershell.exe 2524 dwm.exe 3876 dwm.exe 3016 dwm.exe 2020 dwm.exe 2016 dwm.exe 3468 dwm.exe 3820 dwm.exe 868 dwm.exe 3076 dwm.exe 2220 dwm.exe 3312 dwm.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2096 DllCommonsvc.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 2524 dwm.exe Token: SeDebugPrivilege 3876 dwm.exe Token: SeDebugPrivilege 3016 dwm.exe Token: SeDebugPrivilege 2020 dwm.exe Token: SeDebugPrivilege 2016 dwm.exe Token: SeDebugPrivilege 3468 dwm.exe Token: SeDebugPrivilege 3820 dwm.exe Token: SeDebugPrivilege 868 dwm.exe Token: SeDebugPrivilege 3076 dwm.exe Token: SeDebugPrivilege 2220 dwm.exe Token: SeDebugPrivilege 3312 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1484 2372 JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe 30 PID 2372 wrote to memory of 1484 2372 JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe 30 PID 2372 wrote to memory of 1484 2372 JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe 30 PID 2372 wrote to memory of 1484 2372 JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe 30 PID 1484 wrote to memory of 1688 1484 WScript.exe 31 PID 1484 wrote to memory of 1688 1484 WScript.exe 31 PID 1484 wrote to memory of 1688 1484 WScript.exe 31 PID 1484 wrote to memory of 1688 1484 WScript.exe 31 PID 1688 wrote to memory of 2096 1688 cmd.exe 33 PID 1688 wrote to memory of 2096 1688 cmd.exe 33 PID 1688 wrote to memory of 2096 1688 cmd.exe 33 PID 1688 wrote to memory of 2096 1688 cmd.exe 33 PID 2096 wrote to memory of 2332 2096 DllCommonsvc.exe 89 PID 2096 wrote to memory of 2332 2096 DllCommonsvc.exe 89 PID 2096 wrote to memory of 2332 2096 DllCommonsvc.exe 89 PID 2096 wrote to memory of 2060 2096 DllCommonsvc.exe 90 PID 2096 wrote to memory of 2060 2096 DllCommonsvc.exe 90 PID 2096 wrote to memory of 2060 2096 DllCommonsvc.exe 90 PID 2096 wrote to memory of 2920 2096 DllCommonsvc.exe 91 PID 2096 wrote to memory of 2920 2096 DllCommonsvc.exe 91 PID 2096 wrote to memory of 2920 2096 DllCommonsvc.exe 91 PID 2096 wrote to memory of 3008 2096 DllCommonsvc.exe 93 PID 2096 wrote to memory of 3008 2096 DllCommonsvc.exe 93 PID 2096 wrote to memory of 3008 2096 DllCommonsvc.exe 93 PID 2096 wrote to memory of 2476 2096 DllCommonsvc.exe 95 PID 2096 wrote to memory of 2476 2096 DllCommonsvc.exe 95 PID 2096 wrote to memory of 2476 2096 DllCommonsvc.exe 95 PID 2096 wrote to memory of 2820 2096 DllCommonsvc.exe 96 PID 2096 wrote to memory of 2820 2096 DllCommonsvc.exe 96 PID 2096 wrote to memory of 2820 2096 DllCommonsvc.exe 96 PID 2096 wrote to memory of 2760 2096 DllCommonsvc.exe 97 PID 2096 wrote to memory of 2760 2096 DllCommonsvc.exe 97 PID 2096 wrote to memory of 2760 2096 DllCommonsvc.exe 97 PID 2096 wrote to memory of 2264 2096 DllCommonsvc.exe 98 PID 2096 wrote to memory of 2264 2096 DllCommonsvc.exe 98 PID 2096 wrote to memory of 2264 2096 DllCommonsvc.exe 98 PID 2096 wrote to memory of 2656 2096 DllCommonsvc.exe 99 PID 2096 wrote to memory of 2656 2096 DllCommonsvc.exe 99 PID 2096 wrote to memory of 2656 2096 DllCommonsvc.exe 99 PID 2096 wrote to memory of 2976 2096 DllCommonsvc.exe 100 PID 2096 wrote to memory of 2976 2096 DllCommonsvc.exe 100 PID 2096 wrote to memory of 2976 2096 DllCommonsvc.exe 100 PID 2096 wrote to memory of 2816 2096 DllCommonsvc.exe 101 PID 2096 wrote to memory of 2816 2096 DllCommonsvc.exe 101 PID 2096 wrote to memory of 2816 2096 DllCommonsvc.exe 101 PID 2096 wrote to memory of 2772 2096 DllCommonsvc.exe 102 PID 2096 wrote to memory of 2772 2096 DllCommonsvc.exe 102 PID 2096 wrote to memory of 2772 2096 DllCommonsvc.exe 102 PID 2096 wrote to memory of 2860 2096 DllCommonsvc.exe 103 PID 2096 wrote to memory of 2860 2096 DllCommonsvc.exe 103 PID 2096 wrote to memory of 2860 2096 DllCommonsvc.exe 103 PID 2096 wrote to memory of 2648 2096 DllCommonsvc.exe 104 PID 2096 wrote to memory of 2648 2096 DllCommonsvc.exe 104 PID 2096 wrote to memory of 2648 2096 DllCommonsvc.exe 104 PID 2096 wrote to memory of 2172 2096 DllCommonsvc.exe 106 PID 2096 wrote to memory of 2172 2096 DllCommonsvc.exe 106 PID 2096 wrote to memory of 2172 2096 DllCommonsvc.exe 106 PID 2096 wrote to memory of 2748 2096 DllCommonsvc.exe 107 PID 2096 wrote to memory of 2748 2096 DllCommonsvc.exe 107 PID 2096 wrote to memory of 2748 2096 DllCommonsvc.exe 107 PID 2096 wrote to memory of 1944 2096 DllCommonsvc.exe 108 PID 2096 wrote to memory of 1944 2096 DllCommonsvc.exe 108 PID 2096 wrote to memory of 1944 2096 DllCommonsvc.exe 108 PID 2096 wrote to memory of 2200 2096 DllCommonsvc.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"6⤵PID:3804
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3836
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"8⤵PID:3096
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3144
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"10⤵PID:3348
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2964
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"12⤵PID:1124
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1688
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"14⤵PID:2612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2880
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat"16⤵PID:3688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:3708
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"18⤵PID:2600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1556
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"20⤵PID:2392
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:772
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"22⤵PID:2248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2588
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"24⤵PID:3220
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1268
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ShellNew\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\addins\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ShellNew\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5da2102c4810ccccf3a30087ae53bc2df
SHA16af53a98463a13ef5c3a63fde875cc75bc1a03b9
SHA25640f46b378d6f464d697221095c5353f5ec757f359260e4e15e8477397b39e2ad
SHA512adb2571486c008b33e8562e19901550db18b8ee25fbd2d83f82826e149792314e824a7aa2b83b7cdc33581fde4bae83e1e27d37abd7273ab7b0410005e6cf997
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50297849132582d4ceaafa85fdcca5237
SHA188d98c173540632e9e6ab52d44b3a272b181598e
SHA256de8f26dc1b3418e84d8e0fcf34e321ccc5baa921e91b3e90a0a3aaf270bc447a
SHA5124db75a61c9a5d0682c9e8f64705b1a35ab17912a2d3f337fdebf6f4568d99f637726295dbc479a939681ec86829f961f209fa391855c8b21e839165c62a7b55e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d4f796c733e6e15c9c62958bce099d05
SHA125a8d0335fe36f534c4a886acf039112c255c455
SHA2563768c37c71dbb061e70a14c719d96e90bbf9c80cfb8f67d9a3f183641e783e40
SHA512318e0a77a34dc5f75d59bf812e9d2c1948de11c036688aed48ad90a2884c01b8822ad75d4abacee6707ff57b791a6d2267ae451f7646819aaa123001d008d4f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ea7e70893bb6687a35a45225b9298d7
SHA12855127da28a195ff02cd02ab0d7d4c983b22bfa
SHA25607ca822f7649dc202bf2ec741e4301c642ff4d92ab4f6ed99d941126716827ce
SHA512fc33c83d3e826c7234223dff97b486946240dc67d7fb277c4b942caef19649b43a69ce7f467d4b3cfbab0289298d922daac76bb4614f5254285b52ac7583b7ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c5da8241e686cfca7b7195315191e359
SHA17dd4a196ab4a429ec646968dd45ebc9a0b6e3bf5
SHA256924eece126f2386efc4349a6160238d3045fcd39853413eaa0eef5ef7feedc8d
SHA51243e0de4558e84e2b2aa3d868c53da6a9667975e0c98acee04221e681e4cfb0b30e311843c1abc66d394d01ad9c327a25357ad5070f32e05750e2dd1f2472b9a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD574c61a01f7e28a03e856f4c42308efc6
SHA144f54ad4bf66db9f92f0c7c340c11960673b0793
SHA25699a3fc5f2e3bc557de82dd58d8a96ab65d41eb76b3c6d185aed832730a946ce4
SHA512c930fc2cb34116afa49c03e830821eb0a5def89ed3c5d076376f252522083f14720d623eecdd7a323dd782bb09aa759cd6be23a0f4799f6b2309b2470b492233
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f07e003b37ac41d23a88655a54f6356b
SHA11224e5ecd1a74b8a66e162902fdf139a39ef72f6
SHA256f8e7c0c3a1d5684a1f4cd6209118e2b81d3f9142e4d655d7e8803722240734b7
SHA51231c29608b59d4c2a1fc79bd1aaa4bb1768d7659477a012e46d6f74616699d399bad0abd76cef42997a6ee5150b0e9c679d48ef03a4f2cc5b8c584e8557d0696b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bd9b7c7db4756bfc9e740d7604993045
SHA1ad4f3254fa442dc173c460ebbcc9d62d4c0f5218
SHA256101e7ff7c1db90d08a132c3374058f8674744e61d4f2f2b6737faaa999a60426
SHA512e0cfa39f848662e77027f44c8b6936bf637373112bb31b0988bed95ee750c6fa423ac94cbf92a78482ff89993e6c6573312e4361c645c12b982731fba5d90ef6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cffa744045db22410bbb22f4b4367afb
SHA122bccdd65901648ab0457e66cbbc193c2fc27650
SHA256f0f04ef002055a4deb4145ddb4127ebabcd6f2497652e28aee4aec7e3bc1748a
SHA512c8d2c844840c005ea42530bdf6e481c88fbd54c777dc7bd466a2ac29559add124269bc9a4be59d3649f4d9e96ee1fe5074505cda8728263a940ec53923a61767
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
216B
MD52dbc40f54d10700c9cd21f5aad653d32
SHA1bff6358e2a4d3572691fb519aec5dc71a7e9c899
SHA25619286a867777d6cdbb29af536caf3775161896d4fd1c59cf8e9268fbc30fd96d
SHA512c6161771d04b75e1299c00f86b9de349b3fda44b3c78745bd1d5d407b66bfab2e5d742d6bd8e2c8e5883e160a69477c6b355ad38e85c2c7b65387ec39a87c2d8
-
Filesize
216B
MD5cd788331c0194e60345c4bdddeab482c
SHA12e8c760c1f948ddd595e2de35e7da122fc8bbff5
SHA25680d25f19ebb52ecce030460b1c09f32f411dc4cb03a6ad5a88f1ec20e594059c
SHA51217a55f8a4442309989b65cf56320653e81ebed83b083dc5ea479866063f981733701ce03f1c87b5d5780e76375e5d0c55f6e4b0feafc336c0596e4b981a8b832
-
Filesize
216B
MD50c6719cdb5f23c6f64940860c52dea54
SHA15edfa302fb8606c8f03f7611cc707cb1bd7c71bc
SHA256ca4dd9c96d046cdeb4b21a52bddbd70b9c30de974751b544937547804f87c584
SHA5124ce10ac6af1874def9f5243192f242f8ba0fd158a17a9d091c711747b845ba234df14a13816ae29e694066b8e75d4a1d7c1137ffe61f30a0339d9956382aeea1
-
Filesize
216B
MD5d5d1364b02ffa5cc31b451612785d991
SHA1cae1d87127586607cfa7ee93141dddd90851c473
SHA256eaa1ed254b3c022d90141d40f18ed3ecfee143bdc7fff717df28b893571862a1
SHA5128c763852ccaf227a69ba47ef362b9784b3e133abe3250ff1c67058a4f1de8cd09085ca44ddb5d635659687d33d4d78845bf98b370c6b4aa5c5c3182da399ca37
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
216B
MD5113283e68801317882c372196df507ed
SHA17c181ed91b372cc8d74eb99646469447fc970ba4
SHA256f23d6083e047c03c06d8a0284ddd5a4f94034b26e058fccd548c5ac11596fef9
SHA512178faff86b396d3592e1127656a9f5ca5cae7c35905e364c20eaacfb551fcbe7b787b45143a4a696fa5c7dfff68c9868adafed9b042da5dec4589c6cccd7456a
-
Filesize
216B
MD5e1293437215700de5a28e634b97d0436
SHA1af43cc1425ec1d4ddf61c0cf619b09daa11984ae
SHA2564abc267d9ae43686962149c21c8eebe5925a86f152c6ad93bf7bc8e2f1c92b28
SHA5129930f992206f44add7f67e924cecf86439d0bb168168ba7870017ee69b419c4f222ddbc6b94b91965ba1f7f4c9ba28678417a2f8cc9ec4c58aa8714be383e5a1
-
Filesize
216B
MD5a1bde383caa5ffc938e5fd03e1848c40
SHA1aa4c5a8e0dfb9991f9f8273e1decf9eba32b4624
SHA256a8cbfc03d40a0ec0e2cf09594ce81190e560cbb4f944ccba76ee69a68fab5d9d
SHA512f9394ec1cab821fddd9ad66869c71a383426c396b0b782820c40f22a2527da3f437b596a42325bb1cb61b9758cb23652f7aa20f6aa2758df97d875f659d8d9d5
-
Filesize
216B
MD5236fc998ccd9dcf461886fdb3dda24db
SHA1c821507313f9bd861ce264c11adac889a73480ce
SHA256ad87cb32c538c55ef9a4e94a9d0e807db1ba2f5c3237e614ea778fbc9adfb12f
SHA5123a65e612e6206c87898c1c9d3342a27174583f4d92d82aa467166ed3e7bf3b5ba968f178fb20f37b130535a2042bed8433ef7c115ed0679cb186886b20d6d228
-
Filesize
216B
MD50274a29ce134a487d61355974c288dce
SHA136dfdc3d70bc1b283141d06a36f95731d452be4e
SHA256f191c23e6a67ce4f202e1503f7fc49cbffe2457f9b7b5afa028fd0c4470e76f8
SHA512795ebff8e39c681b4caa1018784cd6ea1290edb51ba4bb831f49ce90a94c709a6293bb536bdb81dea285f0d3ab2d580639d11a509a4ad6a5cf2d61dfc763b6bf
-
Filesize
216B
MD573a620cb1e68dcca7ef98444b44e293a
SHA11dd89176f02de97d49ad4ebfae791c05ca46b787
SHA256a351a9bd453f328c0212c5f54ef012d49ec64795d5a36fdbe66987a2950d5d0c
SHA512b76c5f8b41f267bdf94cd115f85e013f1d7bd13526793cfa5fb7c076dc0bcdf52fc3625fcd57d88100ebc1def613e23bbe50fca104e25a2f748f9f0bf6a6d604
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a325046d10d140ae068e1567ab2b63f1
SHA17148a19809a5bb7af42af73bfa3afeccfb3cabc6
SHA2563c33a1b3b309720862391dbd3f82a6d749f7842bc658c775691dfa962e4f87f6
SHA512951bab629f1f8e1ce3e5d3b1572bc683a3c71fbb8d658711c9c5a3f6512c9d3f203fa090083760d6f714a4765439a91ba06010a0393f33da763fb43463019cec
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394