Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:18
Behavioral task
behavioral1
Sample
JaffaCakes118_53013a92b256bcfd66482ac39b057d33f95e740d2c77018c63e56e0c3d56c148.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_53013a92b256bcfd66482ac39b057d33f95e740d2c77018c63e56e0c3d56c148.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_53013a92b256bcfd66482ac39b057d33f95e740d2c77018c63e56e0c3d56c148.exe
-
Size
1.3MB
-
MD5
6f7c3fe391e2b4dfaad4f333373ab8dc
-
SHA1
856ed009339a43045a91f2db0716c2f2d7b9d76d
-
SHA256
53013a92b256bcfd66482ac39b057d33f95e740d2c77018c63e56e0c3d56c148
-
SHA512
d2e9b36623c7d7380245291888d95aa5e9218feca656ffba77dd08d1ffc2f5a5e73f4ccbc181f631c29de65a4f505c82ae6510e73b0ed7927a90b433033bdf2b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 824 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 564 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2888 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2888 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016d46-12.dat dcrat behavioral1/memory/2728-13-0x0000000000E70000-0x0000000000F80000-memory.dmp dcrat behavioral1/memory/1888-141-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat behavioral1/memory/324-200-0x0000000000CA0000-0x0000000000DB0000-memory.dmp dcrat behavioral1/memory/1556-260-0x00000000012D0000-0x00000000013E0000-memory.dmp dcrat behavioral1/memory/2908-438-0x00000000002A0000-0x00000000003B0000-memory.dmp dcrat behavioral1/memory/2024-498-0x0000000000350000-0x0000000000460000-memory.dmp dcrat behavioral1/memory/2392-559-0x0000000000C70000-0x0000000000D80000-memory.dmp dcrat behavioral1/memory/3004-619-0x0000000001000000-0x0000000001110000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2708 powershell.exe 2804 powershell.exe 2792 powershell.exe 2604 powershell.exe 2664 powershell.exe 1912 powershell.exe 2340 powershell.exe 584 powershell.exe 2588 powershell.exe 2444 powershell.exe 2224 powershell.exe 2636 powershell.exe 2712 powershell.exe 2584 powershell.exe 2228 powershell.exe 1852 powershell.exe 2816 powershell.exe 2908 powershell.exe 2632 powershell.exe 2864 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2728 DllCommonsvc.exe 1888 wininit.exe 324 wininit.exe 1556 wininit.exe 1896 wininit.exe 2452 wininit.exe 2908 wininit.exe 2024 wininit.exe 2392 wininit.exe 3004 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 1392 cmd.exe 1392 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 5 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 30 raw.githubusercontent.com -
Drops file in Program Files directory 20 IoCs
description ioc Process File created C:\Program Files\DVD Maker\it-IT\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\System\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\System\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Windows Journal\ja-JP\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Java\jre7\bin\56085415360792 DllCommonsvc.exe File created C:\Program Files\Java\jre7\bin\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Media Renderer\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\dwm.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Windows Journal\ja-JP\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\System.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\it-IT\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\7a0fd90576e088 DllCommonsvc.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Panther\WMIADAP.exe DllCommonsvc.exe File created C:\Windows\Panther\75a57c1bdf437c DllCommonsvc.exe File created C:\Windows\DigitalLocker\ja-JP\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\ja-JP\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Windows\Boot\Fonts\System.exe DllCommonsvc.exe File created C:\Windows\TAPI\cmd.exe DllCommonsvc.exe File created C:\Windows\TAPI\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\Performance\WinSAT\DataStore\audiodg.exe DllCommonsvc.exe File created C:\Windows\Performance\WinSAT\DataStore\42af1c969fbb7b DllCommonsvc.exe File created C:\Windows\diagnostics\index\sppsvc.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_53013a92b256bcfd66482ac39b057d33f95e740d2c77018c63e56e0c3d56c148.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3024 schtasks.exe 2972 schtasks.exe 1632 schtasks.exe 1532 schtasks.exe 556 schtasks.exe 2736 schtasks.exe 2212 schtasks.exe 316 schtasks.exe 2940 schtasks.exe 1324 schtasks.exe 2352 schtasks.exe 2084 schtasks.exe 2344 schtasks.exe 2176 schtasks.exe 828 schtasks.exe 2268 schtasks.exe 2080 schtasks.exe 804 schtasks.exe 1492 schtasks.exe 2160 schtasks.exe 1936 schtasks.exe 564 schtasks.exe 1924 schtasks.exe 2644 schtasks.exe 1552 schtasks.exe 2904 schtasks.exe 3064 schtasks.exe 2332 schtasks.exe 948 schtasks.exe 1564 schtasks.exe 2916 schtasks.exe 824 schtasks.exe 2908 schtasks.exe 1860 schtasks.exe 1656 schtasks.exe 2404 schtasks.exe 1528 schtasks.exe 3028 schtasks.exe 2860 schtasks.exe 1920 schtasks.exe 304 schtasks.exe 1664 schtasks.exe 2956 schtasks.exe 1084 schtasks.exe 2604 schtasks.exe 2408 schtasks.exe 2348 schtasks.exe 2292 schtasks.exe 2224 schtasks.exe 2360 schtasks.exe 1816 schtasks.exe 1224 schtasks.exe 1416 schtasks.exe 1520 schtasks.exe 2140 schtasks.exe 2440 schtasks.exe 2716 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2728 DllCommonsvc.exe 2728 DllCommonsvc.exe 2728 DllCommonsvc.exe 2588 powershell.exe 2584 powershell.exe 2340 powershell.exe 2792 powershell.exe 1852 powershell.exe 2632 powershell.exe 2664 powershell.exe 2816 powershell.exe 2224 powershell.exe 1912 powershell.exe 2444 powershell.exe 584 powershell.exe 2804 powershell.exe 2712 powershell.exe 2864 powershell.exe 2708 powershell.exe 2908 powershell.exe 2604 powershell.exe 2228 powershell.exe 2636 powershell.exe 1888 wininit.exe 324 wininit.exe 1556 wininit.exe 1896 wininit.exe 2452 wininit.exe 2908 wininit.exe 2024 wininit.exe 2392 wininit.exe 3004 wininit.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2728 DllCommonsvc.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 584 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 1888 wininit.exe Token: SeDebugPrivilege 324 wininit.exe Token: SeDebugPrivilege 1556 wininit.exe Token: SeDebugPrivilege 1896 wininit.exe Token: SeDebugPrivilege 2452 wininit.exe Token: SeDebugPrivilege 2908 wininit.exe Token: SeDebugPrivilege 2024 wininit.exe Token: SeDebugPrivilege 2392 wininit.exe Token: SeDebugPrivilege 3004 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 840 wrote to memory of 2124 840 JaffaCakes118_53013a92b256bcfd66482ac39b057d33f95e740d2c77018c63e56e0c3d56c148.exe 30 PID 840 wrote to memory of 2124 840 JaffaCakes118_53013a92b256bcfd66482ac39b057d33f95e740d2c77018c63e56e0c3d56c148.exe 30 PID 840 wrote to memory of 2124 840 JaffaCakes118_53013a92b256bcfd66482ac39b057d33f95e740d2c77018c63e56e0c3d56c148.exe 30 PID 840 wrote to memory of 2124 840 JaffaCakes118_53013a92b256bcfd66482ac39b057d33f95e740d2c77018c63e56e0c3d56c148.exe 30 PID 2124 wrote to memory of 1392 2124 WScript.exe 32 PID 2124 wrote to memory of 1392 2124 WScript.exe 32 PID 2124 wrote to memory of 1392 2124 WScript.exe 32 PID 2124 wrote to memory of 1392 2124 WScript.exe 32 PID 1392 wrote to memory of 2728 1392 cmd.exe 34 PID 1392 wrote to memory of 2728 1392 cmd.exe 34 PID 1392 wrote to memory of 2728 1392 cmd.exe 34 PID 1392 wrote to memory of 2728 1392 cmd.exe 34 PID 2728 wrote to memory of 2444 2728 DllCommonsvc.exe 93 PID 2728 wrote to memory of 2444 2728 DllCommonsvc.exe 93 PID 2728 wrote to memory of 2444 2728 DllCommonsvc.exe 93 PID 2728 wrote to memory of 2864 2728 DllCommonsvc.exe 94 PID 2728 wrote to memory of 2864 2728 DllCommonsvc.exe 94 PID 2728 wrote to memory of 2864 2728 DllCommonsvc.exe 94 PID 2728 wrote to memory of 2804 2728 DllCommonsvc.exe 95 PID 2728 wrote to memory of 2804 2728 DllCommonsvc.exe 95 PID 2728 wrote to memory of 2804 2728 DllCommonsvc.exe 95 PID 2728 wrote to memory of 2584 2728 DllCommonsvc.exe 97 PID 2728 wrote to memory of 2584 2728 DllCommonsvc.exe 97 PID 2728 wrote to memory of 2584 2728 DllCommonsvc.exe 97 PID 2728 wrote to memory of 2588 2728 DllCommonsvc.exe 98 PID 2728 wrote to memory of 2588 2728 DllCommonsvc.exe 98 PID 2728 wrote to memory of 2588 2728 DllCommonsvc.exe 98 PID 2728 wrote to memory of 2708 2728 DllCommonsvc.exe 99 PID 2728 wrote to memory of 2708 2728 DllCommonsvc.exe 99 PID 2728 wrote to memory of 2708 2728 DllCommonsvc.exe 99 PID 2728 wrote to memory of 584 2728 DllCommonsvc.exe 101 PID 2728 wrote to memory of 584 2728 DllCommonsvc.exe 101 PID 2728 wrote to memory of 584 2728 DllCommonsvc.exe 101 PID 2728 wrote to memory of 2632 2728 DllCommonsvc.exe 102 PID 2728 wrote to memory of 2632 2728 DllCommonsvc.exe 102 PID 2728 wrote to memory of 2632 2728 DllCommonsvc.exe 102 PID 2728 wrote to memory of 2908 2728 DllCommonsvc.exe 103 PID 2728 wrote to memory of 2908 2728 DllCommonsvc.exe 103 PID 2728 wrote to memory of 2908 2728 DllCommonsvc.exe 103 PID 2728 wrote to memory of 2712 2728 DllCommonsvc.exe 105 PID 2728 wrote to memory of 2712 2728 DllCommonsvc.exe 105 PID 2728 wrote to memory of 2712 2728 DllCommonsvc.exe 105 PID 2728 wrote to memory of 2340 2728 DllCommonsvc.exe 107 PID 2728 wrote to memory of 2340 2728 DllCommonsvc.exe 107 PID 2728 wrote to memory of 2340 2728 DllCommonsvc.exe 107 PID 2728 wrote to memory of 2636 2728 DllCommonsvc.exe 108 PID 2728 wrote to memory of 2636 2728 DllCommonsvc.exe 108 PID 2728 wrote to memory of 2636 2728 DllCommonsvc.exe 108 PID 2728 wrote to memory of 2816 2728 DllCommonsvc.exe 110 PID 2728 wrote to memory of 2816 2728 DllCommonsvc.exe 110 PID 2728 wrote to memory of 2816 2728 DllCommonsvc.exe 110 PID 2728 wrote to memory of 1852 2728 DllCommonsvc.exe 111 PID 2728 wrote to memory of 1852 2728 DllCommonsvc.exe 111 PID 2728 wrote to memory of 1852 2728 DllCommonsvc.exe 111 PID 2728 wrote to memory of 2792 2728 DllCommonsvc.exe 113 PID 2728 wrote to memory of 2792 2728 DllCommonsvc.exe 113 PID 2728 wrote to memory of 2792 2728 DllCommonsvc.exe 113 PID 2728 wrote to memory of 2228 2728 DllCommonsvc.exe 115 PID 2728 wrote to memory of 2228 2728 DllCommonsvc.exe 115 PID 2728 wrote to memory of 2228 2728 DllCommonsvc.exe 115 PID 2728 wrote to memory of 2224 2728 DllCommonsvc.exe 116 PID 2728 wrote to memory of 2224 2728 DllCommonsvc.exe 116 PID 2728 wrote to memory of 2224 2728 DllCommonsvc.exe 116 PID 2728 wrote to memory of 2664 2728 DllCommonsvc.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53013a92b256bcfd66482ac39b057d33f95e740d2c77018c63e56e0c3d56c148.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53013a92b256bcfd66482ac39b057d33f95e740d2c77018c63e56e0c3d56c148.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\ja-JP\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\it-IT\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jh0m6liFr2.bat"5⤵PID:1552
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1452
-
-
C:\Program Files\Windows Journal\ja-JP\wininit.exe"C:\Program Files\Windows Journal\ja-JP\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"7⤵PID:2236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1200
-
-
C:\Program Files\Windows Journal\ja-JP\wininit.exe"C:\Program Files\Windows Journal\ja-JP\wininit.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"9⤵PID:2824
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2572
-
-
C:\Program Files\Windows Journal\ja-JP\wininit.exe"C:\Program Files\Windows Journal\ja-JP\wininit.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"11⤵PID:1452
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1604
-
-
C:\Program Files\Windows Journal\ja-JP\wininit.exe"C:\Program Files\Windows Journal\ja-JP\wininit.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"13⤵PID:1380
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2108
-
-
C:\Program Files\Windows Journal\ja-JP\wininit.exe"C:\Program Files\Windows Journal\ja-JP\wininit.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"15⤵PID:1520
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:304
-
-
C:\Program Files\Windows Journal\ja-JP\wininit.exe"C:\Program Files\Windows Journal\ja-JP\wininit.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"17⤵PID:572
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2612
-
-
C:\Program Files\Windows Journal\ja-JP\wininit.exe"C:\Program Files\Windows Journal\ja-JP\wininit.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"19⤵PID:2152
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1920
-
-
C:\Program Files\Windows Journal\ja-JP\wininit.exe"C:\Program Files\Windows Journal\ja-JP\wininit.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"21⤵PID:788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2324
-
-
C:\Program Files\Windows Journal\ja-JP\wininit.exe"C:\Program Files\Windows Journal\ja-JP\wininit.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"23⤵PID:316
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Panther\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Desktop\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\ja-JP\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\it-IT\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\TAPI\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d2640523ccaeebfc408faab2fa22f8e8
SHA1f4183443552f50cc4206dc4b9960eb8471c6f4f5
SHA256bd4401bdae6ca6553b81fbb4115697c0d947566cfbbaefd3e6c922b379723387
SHA5127c95b1e3f3805dc35ed83111434922751c28286ef26ada45971948c41a4a52f419d2b6d83d6dfefc5672a2a1f44186d4a10ea07e6cbfbc4d7081e4d54c439d2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD503efcc3d6ea104a539030d6425558dd9
SHA179e31ea006975ef55caaa868af227b3bd1566f4c
SHA256d1ef14bec2945a0c0f38f77c199eab0d3488bd66583670b93f3848e9b0f32276
SHA512a1aad67516c7bb7380d9a89b140b4c9ada1f051fba524770c13f696f9951fb73dffd215d11ad0bd558fdb42baa332b4d825c271ca9251b702e3b8274ed02a538
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5372cab961ecd6110d2f9c760a0de64cd
SHA12cc06303e6206b1514c0c2e21ac78927999a7fdb
SHA2569efc01cd75105858ab80ca394eb1e63c8e2c64ecb466e8d0e52c33d365a5c4fa
SHA512fdd12c7cb56c5c04c11a9a08efdd04bf2bdb7bbe11ae7b4f3b0704d65901d84c8eefcf3ffb127a3c736a705a551b0dd87d072f2960cdc75488f840897db14236
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50fe0738fae4c8ba3ec17ab69b5cf402d
SHA13ca77a3ac15ec8a823df69d0a29d725507f84540
SHA2563cb0a22365aad4d70e7f3c37f4a66c0a2ec141421ea8144957fa4885a7b5d453
SHA51261267f026f1dcb418f3449de966ad0c2848491a810788b2d950d883fe0d9c7a85e0e986a707e30f60a573fe35c85c1a34b21a8640c4331a0aa20a60de5ae3886
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55e8f54097eb7591f897bf87a9411a782
SHA18cbb33a9aaee892c535809ea7433712786b21bcb
SHA25676277314d894f9dfa335d670775b710ca31bcb26546e6a0a204685d900552912
SHA5121eefc2bf0a029db337fcb79f671a28e046ca1a82f8428dbe09ccb6c4160085f659467f78b6590949aee2f945b2c4d8cc6a5a798f23781a0d23efaab980a70601
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ac3601cc93f42c6ae9d83d1f33c60001
SHA15c3610c6a63bf0fde09ba6e920f380b986b62b11
SHA2565d4698a4a63b319b434fd7d4e2c9734dd1a8479359bd4bd6870cd3f72dcccbc5
SHA51220bcf16f01897157a15b75c9f08e25682268481f83156617da5e581be0f564c9fc41d8b41bf14161e21cc7e11d00d9f17ac9bb5c5758012ea11260401e694e5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58f5fb87c2cee19d21be483cf033a2e0e
SHA18476e2cd76b354dcf8fb5f88b64c75b90f6ceea4
SHA2560c68f8397db3843c3abe14b3286236868c8db2fd65cca535ca949709b10100b4
SHA512cd0764877c6020642991d57274ce5d8e8ccd8f4f80b5f5ccf4e5bb887e289b33fb57825b3b79310a2252a35d95352da37724a3496a0a2de675758de424f31560
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59c430d668f3bf81082447fa201761c5f
SHA14e53f1a3f229784000e31496b04691b2c9492b56
SHA256a35c3b3cbc53de66195536d4e7d216d31316dc9652b336fd97a2e3e65266f407
SHA512a7a0278268437101a8a1de581a58a3b8327550a511999863752c372002847b15435695556f6a64cd4234ce1c9778413859f2303360a4501ac6483b335073e6ab
-
Filesize
215B
MD5c32d28217ffd151a743912b9287bed88
SHA1637f3c3f715392053f59b525338a25b61506b434
SHA2566736dbc1ac674b2441b146e151b9988a8a9c7b54a5a0abfa021d03e03e4fa9f5
SHA5124c3a9caa3c2f7c97dc630ec3079d64b9ad51cabd638a084ed7748d97cfb94cea99741e7a226cad810015856446fb915b45145d2646f76cf0cc902c1aee44c023
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
215B
MD5a89569ae1de3729d820093c006ecd7f6
SHA1841fdd74ab58937afd05dade5629ce0a515e8914
SHA2567316c47f2a640d7cc46d311398ec0b301dbea3caa3592c0caf667c20a0271f92
SHA512f154cad8cfd72eb86be93ab4a2c4e5e9489d877e73f1706dcb3f71f861a0211d5fcf24b4a497a7db504c4892793c92a9cb7fe9b6a0e5407c784606506819af36
-
Filesize
215B
MD5730871a73c57acc4842bb4c59d9c5b5a
SHA1836cf0b52b2257d8cc612b29a47341f85f69d69a
SHA256345be497009c87d3fa67e207e212bbb145e55b719c3acffa352c6d68240e343d
SHA512b8573699a5adb29e58fc2143f042a40a7b6bb2aea86a2c293fb9c97211bbe5e479027939bfb5ae024c1da82062aa0cecdf15178ae8c2733542095a5ad570e60b
-
Filesize
215B
MD5741ff9552761b93dcf92b9c6b03e964e
SHA1e53c4244ca6d21bf831e7ac19c088fe935bad991
SHA256e9e3bae575f8c060946222142fd68fbf7960b4be6d6fad6fa8b71bf44961dd8c
SHA51235540c332505160ca697886abd093c74a53d4644cb4d00372179cdf0d45266acbcd975d1a374ca1927f4d84ce1b12f5aab0f3b7a40433282f60f86ba98e600e5
-
Filesize
215B
MD5f723a43cec7145dd1b3784507cb77f95
SHA13ad3c5cd1d76d78129e0eea4cd1334824d171314
SHA25635211397e378795812fb666df36bc91179803b4326daf4281a6db583ac002165
SHA512dab11d1f89537fed07b482b2af62af19170d77651189b0fcbe49e801203ba8c5cbd3b54fb75726369ec81b09b2c39d7e72c759202f9805bebbae7c84f0529f7a
-
Filesize
215B
MD559b8a4023d773d7fed10f54a29a6f6a1
SHA1daa5aca85dc4bb174ada3dc2121b89f6606649e7
SHA256ac68958539eb5972f520d445943b20493f865939dea1cde96aace0d16208e2f0
SHA512504e8c181ff65da36e6d7f498095d622a91afd9a653aa59281decc73236a4fe632056c7b6beebda2924c50640f1e7946cd96e12e32484db326d4b2ae0785f111
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
215B
MD53a12e4d5358a664938ad64967e2981bf
SHA1edef63de58687c77c49b0dd0ddc56631fa4b8a4a
SHA256f5a33f6cc0d8302f307d17b5ef537f7a797ac05d5ae44f04762cafc5d1b0bd64
SHA512652b56ffeb7a2dd432449265bd6432cb44f3997005053de9007daafe7e53ff712242a8456f023c9ca72c15d2af840df6fd9ea0fcd37b657cc863d272fcc3218c
-
Filesize
215B
MD5019bf2806bdd060e4161b6bf37d0ac1b
SHA190c54545ad8b39edef45fece3f6840600c1a060d
SHA256a1f183252935f22690621c2028d06a84b51fab17d1555916c52ba1907218e98e
SHA512a1eb994b99e21fc19cc96354b561b69dac5e94ab554b5a221cb04108ecb123d4dcf38f54cc5561ecd3832a97516895c1db8197674cea34ed1831000cbd83cae2
-
Filesize
215B
MD59b351c62b1f1b0012cabcf2ed5c1358a
SHA19a6c86ac063dd546a0d47ea8259decbb28dce01a
SHA256f205536680b343e03ccfa4724ba2480f1c5a9317f326638013ad53c52cbb6eb6
SHA512e81cc1ab1bb45d51cc81d86800d488f6201a3be9bf779ceb2c82dc4051bc205a387de017a0229ee212834c402ff75c349c11cb9a2000ed44480dc67452cf1bd4
-
Filesize
215B
MD541ab181c57c72e57361a8364a80b7eac
SHA12a3372aae39de1abeadf25781bb6e4bace8859b8
SHA2560ddc7c0f6023c62100b8e5f96c979a6315a8e00e9a15fbd22ab4e66c07e9b896
SHA5124120bc3081ea813fd5fa9b2875700f3ecbc75536cb60a26bb7e91913476382af843bb326c0c0ad14b183d32102bcb86df38036287c69f3d9afb8947bb37af5ee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1H5NRVGZU9Q48LM5HOX2.temp
Filesize7KB
MD5cd652975bb1fdec415d0a8d498fe9256
SHA183220b77d06332ef37815b6cd53e7392a7dffc62
SHA256856599ef99eb521904c82ae1a568e1b3c764cc75c6590f68166b4b6fb7161ddb
SHA512a056e3a0eb3fe698e582788a0acfcc4b3fd1063f3da9f46f08621d2439ba321dfcce75ca8fae210504da7100ba703f1f98e363a51b20fc77c57288e9dcf13d49
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478