Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:52
Behavioral task
behavioral1
Sample
JaffaCakes118_11c950ce93f6838c7276d54ea461bd5b72823f45d683a79f588ae7f0601bd6b9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_11c950ce93f6838c7276d54ea461bd5b72823f45d683a79f588ae7f0601bd6b9.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_11c950ce93f6838c7276d54ea461bd5b72823f45d683a79f588ae7f0601bd6b9.exe
-
Size
1.3MB
-
MD5
cf1fc7d66704859130ac1f4f4aabcba5
-
SHA1
e90324eb0dfd3915d46b4d4cb128bd70ac062a18
-
SHA256
11c950ce93f6838c7276d54ea461bd5b72823f45d683a79f588ae7f0601bd6b9
-
SHA512
9ca31ba32de5fc2dd83296a68fa92a1a5fddee620bde946529d7457672a894d6ecc30e7132c2b44d0d21d3925d52be9911953ad076b8c627f8b07774e231c55d
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2880 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0006000000018731-11.dat dcrat behavioral1/memory/2116-13-0x0000000000B70000-0x0000000000C80000-memory.dmp dcrat behavioral1/memory/2612-65-0x0000000000B20000-0x0000000000C30000-memory.dmp dcrat behavioral1/memory/2852-187-0x0000000000E80000-0x0000000000F90000-memory.dmp dcrat behavioral1/memory/2932-247-0x0000000001100000-0x0000000001210000-memory.dmp dcrat behavioral1/memory/2744-425-0x0000000000380000-0x0000000000490000-memory.dmp dcrat behavioral1/memory/2616-485-0x0000000001290000-0x00000000013A0000-memory.dmp dcrat behavioral1/memory/1960-605-0x0000000000120000-0x0000000000230000-memory.dmp dcrat behavioral1/memory/2444-665-0x0000000000360000-0x0000000000470000-memory.dmp dcrat behavioral1/memory/2564-726-0x0000000000190000-0x00000000002A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1592 powershell.exe 1788 powershell.exe 1060 powershell.exe 3024 powershell.exe 2220 powershell.exe 564 powershell.exe 1304 powershell.exe 1716 powershell.exe 2208 powershell.exe 1696 powershell.exe 892 powershell.exe 1348 powershell.exe 1704 powershell.exe 2236 powershell.exe 1076 powershell.exe 1508 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2116 DllCommonsvc.exe 2612 sppsvc.exe 2852 sppsvc.exe 2932 sppsvc.exe 784 sppsvc.exe 2332 sppsvc.exe 2744 sppsvc.exe 2616 sppsvc.exe 2108 sppsvc.exe 1960 sppsvc.exe 2444 sppsvc.exe 2564 sppsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2260 cmd.exe 2260 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 9 raw.githubusercontent.com 27 raw.githubusercontent.com 30 raw.githubusercontent.com 34 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 37 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\de-DE\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\Offline\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\Offline\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\ShellNew\taskhost.exe DllCommonsvc.exe File created C:\Windows\ShellNew\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\Microsoft.NET\authman\services.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\authman\c5b4cb5e9653cc DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_11c950ce93f6838c7276d54ea461bd5b72823f45d683a79f588ae7f0601bd6b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 900 schtasks.exe 2772 schtasks.exe 1668 schtasks.exe 1980 schtasks.exe 772 schtasks.exe 464 schtasks.exe 1068 schtasks.exe 1144 schtasks.exe 1084 schtasks.exe 928 schtasks.exe 2900 schtasks.exe 2636 schtasks.exe 2292 schtasks.exe 1816 schtasks.exe 2952 schtasks.exe 2076 schtasks.exe 2756 schtasks.exe 1112 schtasks.exe 1300 schtasks.exe 2748 schtasks.exe 2428 schtasks.exe 2968 schtasks.exe 1956 schtasks.exe 2272 schtasks.exe 2552 schtasks.exe 760 schtasks.exe 2816 schtasks.exe 2984 schtasks.exe 1924 schtasks.exe 2804 schtasks.exe 1760 schtasks.exe 1156 schtasks.exe 2152 schtasks.exe 860 schtasks.exe 2108 schtasks.exe 2164 schtasks.exe 2244 schtasks.exe 756 schtasks.exe 776 schtasks.exe 2128 schtasks.exe 1780 schtasks.exe 2084 schtasks.exe 2476 schtasks.exe 2912 schtasks.exe 2216 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs
pid Process 2852 sppsvc.exe 2932 sppsvc.exe 784 sppsvc.exe 2332 sppsvc.exe 2744 sppsvc.exe 2616 sppsvc.exe 2108 sppsvc.exe 1960 sppsvc.exe 2444 sppsvc.exe 2564 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2116 DllCommonsvc.exe 2116 DllCommonsvc.exe 2116 DllCommonsvc.exe 2116 DllCommonsvc.exe 2116 DllCommonsvc.exe 892 powershell.exe 1076 powershell.exe 2236 powershell.exe 1704 powershell.exe 1592 powershell.exe 1696 powershell.exe 2612 sppsvc.exe 1348 powershell.exe 1508 powershell.exe 3024 powershell.exe 564 powershell.exe 1716 powershell.exe 1060 powershell.exe 1788 powershell.exe 1304 powershell.exe 2220 powershell.exe 2852 sppsvc.exe 2932 sppsvc.exe 784 sppsvc.exe 2332 sppsvc.exe 2744 sppsvc.exe 2616 sppsvc.exe 2108 sppsvc.exe 1960 sppsvc.exe 2444 sppsvc.exe 2564 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2116 DllCommonsvc.exe Token: SeDebugPrivilege 892 powershell.exe Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 2612 sppsvc.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 564 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 1060 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 2852 sppsvc.exe Token: SeDebugPrivilege 2932 sppsvc.exe Token: SeDebugPrivilege 784 sppsvc.exe Token: SeDebugPrivilege 2332 sppsvc.exe Token: SeDebugPrivilege 2744 sppsvc.exe Token: SeDebugPrivilege 2616 sppsvc.exe Token: SeDebugPrivilege 2108 sppsvc.exe Token: SeDebugPrivilege 1960 sppsvc.exe Token: SeDebugPrivilege 2444 sppsvc.exe Token: SeDebugPrivilege 2564 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 1764 2672 JaffaCakes118_11c950ce93f6838c7276d54ea461bd5b72823f45d683a79f588ae7f0601bd6b9.exe 30 PID 2672 wrote to memory of 1764 2672 JaffaCakes118_11c950ce93f6838c7276d54ea461bd5b72823f45d683a79f588ae7f0601bd6b9.exe 30 PID 2672 wrote to memory of 1764 2672 JaffaCakes118_11c950ce93f6838c7276d54ea461bd5b72823f45d683a79f588ae7f0601bd6b9.exe 30 PID 2672 wrote to memory of 1764 2672 JaffaCakes118_11c950ce93f6838c7276d54ea461bd5b72823f45d683a79f588ae7f0601bd6b9.exe 30 PID 1764 wrote to memory of 2260 1764 WScript.exe 31 PID 1764 wrote to memory of 2260 1764 WScript.exe 31 PID 1764 wrote to memory of 2260 1764 WScript.exe 31 PID 1764 wrote to memory of 2260 1764 WScript.exe 31 PID 2260 wrote to memory of 2116 2260 cmd.exe 33 PID 2260 wrote to memory of 2116 2260 cmd.exe 33 PID 2260 wrote to memory of 2116 2260 cmd.exe 33 PID 2260 wrote to memory of 2116 2260 cmd.exe 33 PID 2116 wrote to memory of 564 2116 DllCommonsvc.exe 80 PID 2116 wrote to memory of 564 2116 DllCommonsvc.exe 80 PID 2116 wrote to memory of 564 2116 DllCommonsvc.exe 80 PID 2116 wrote to memory of 892 2116 DllCommonsvc.exe 81 PID 2116 wrote to memory of 892 2116 DllCommonsvc.exe 81 PID 2116 wrote to memory of 892 2116 DllCommonsvc.exe 81 PID 2116 wrote to memory of 1788 2116 DllCommonsvc.exe 82 PID 2116 wrote to memory of 1788 2116 DllCommonsvc.exe 82 PID 2116 wrote to memory of 1788 2116 DllCommonsvc.exe 82 PID 2116 wrote to memory of 2236 2116 DllCommonsvc.exe 83 PID 2116 wrote to memory of 2236 2116 DllCommonsvc.exe 83 PID 2116 wrote to memory of 2236 2116 DllCommonsvc.exe 83 PID 2116 wrote to memory of 1304 2116 DllCommonsvc.exe 84 PID 2116 wrote to memory of 1304 2116 DllCommonsvc.exe 84 PID 2116 wrote to memory of 1304 2116 DllCommonsvc.exe 84 PID 2116 wrote to memory of 1076 2116 DllCommonsvc.exe 85 PID 2116 wrote to memory of 1076 2116 DllCommonsvc.exe 85 PID 2116 wrote to memory of 1076 2116 DllCommonsvc.exe 85 PID 2116 wrote to memory of 1060 2116 DllCommonsvc.exe 86 PID 2116 wrote to memory of 1060 2116 DllCommonsvc.exe 86 PID 2116 wrote to memory of 1060 2116 DllCommonsvc.exe 86 PID 2116 wrote to memory of 1348 2116 DllCommonsvc.exe 87 PID 2116 wrote to memory of 1348 2116 DllCommonsvc.exe 87 PID 2116 wrote to memory of 1348 2116 DllCommonsvc.exe 87 PID 2116 wrote to memory of 1696 2116 DllCommonsvc.exe 88 PID 2116 wrote to memory of 1696 2116 DllCommonsvc.exe 88 PID 2116 wrote to memory of 1696 2116 DllCommonsvc.exe 88 PID 2116 wrote to memory of 2220 2116 DllCommonsvc.exe 89 PID 2116 wrote to memory of 2220 2116 DllCommonsvc.exe 89 PID 2116 wrote to memory of 2220 2116 DllCommonsvc.exe 89 PID 2116 wrote to memory of 1508 2116 DllCommonsvc.exe 90 PID 2116 wrote to memory of 1508 2116 DllCommonsvc.exe 90 PID 2116 wrote to memory of 1508 2116 DllCommonsvc.exe 90 PID 2116 wrote to memory of 1704 2116 DllCommonsvc.exe 91 PID 2116 wrote to memory of 1704 2116 DllCommonsvc.exe 91 PID 2116 wrote to memory of 1704 2116 DllCommonsvc.exe 91 PID 2116 wrote to memory of 3024 2116 DllCommonsvc.exe 92 PID 2116 wrote to memory of 3024 2116 DllCommonsvc.exe 92 PID 2116 wrote to memory of 3024 2116 DllCommonsvc.exe 92 PID 2116 wrote to memory of 2208 2116 DllCommonsvc.exe 93 PID 2116 wrote to memory of 2208 2116 DllCommonsvc.exe 93 PID 2116 wrote to memory of 2208 2116 DllCommonsvc.exe 93 PID 2116 wrote to memory of 1592 2116 DllCommonsvc.exe 95 PID 2116 wrote to memory of 1592 2116 DllCommonsvc.exe 95 PID 2116 wrote to memory of 1592 2116 DllCommonsvc.exe 95 PID 2116 wrote to memory of 1716 2116 DllCommonsvc.exe 96 PID 2116 wrote to memory of 1716 2116 DllCommonsvc.exe 96 PID 2116 wrote to memory of 1716 2116 DllCommonsvc.exe 96 PID 2116 wrote to memory of 2612 2116 DllCommonsvc.exe 110 PID 2116 wrote to memory of 2612 2116 DllCommonsvc.exe 110 PID 2116 wrote to memory of 2612 2116 DllCommonsvc.exe 110 PID 2116 wrote to memory of 2612 2116 DllCommonsvc.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11c950ce93f6838c7276d54ea461bd5b72823f45d683a79f588ae7f0601bd6b9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11c950ce93f6838c7276d54ea461bd5b72823f45d683a79f588ae7f0601bd6b9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\authman\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Offline\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:2208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"6⤵PID:2912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1912
-
-
C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"8⤵PID:2308
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2584
-
-
C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat"10⤵PID:772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2704
-
-
C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"12⤵PID:2320
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2068
-
-
C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"14⤵PID:1924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:292
-
-
C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"16⤵PID:1632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2936
-
-
C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"18⤵PID:2256
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2152
-
-
C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"20⤵PID:960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1856
-
-
C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"22⤵PID:2780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2576
-
-
C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"24⤵PID:2184
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1200
-
-
C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\ShellNew\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellNew\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\authman\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\authman\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Links\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Links\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Links\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Offline\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\Offline\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5046f5411bbe9db0f78c559102694e9e0
SHA12313c1acf4bfb483b4965384bf5a7c2d725754cb
SHA2566a81b2b98726a7e99e8e5e14b1df7e0e0ea89fe3abf9794819407f8acc597bc0
SHA512600d1675fd7a7a3c15318b71d5abe64bf9fd469c2c982ad5df0961039d20a126693a9643ef37474687a01e34a342c87b0d997e71c03df0d349a56b20853ae81f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59d1adef44ea8dbb24478549b6d9eef55
SHA18d0abf6c7b1c04487eb6830c797eeed90996b25a
SHA25612a8b440b78e57183ec3c733f402f398cf48eb1252f1b09ebb6237d242ced64c
SHA512b12bae975bcfb7094e3cf43889673e08e86b9ca9da0776c7916ef3c9b4cc617dac36e3377e83e173d91a93410b2eb564fd5f2cab7846d30c6260cbd1698fce78
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f9cd08c309cde221bea5d59f966bbaf3
SHA1270c03d6743c8351e6d3a7c80ddd8f589a384cdc
SHA256900a2149a94b9690a567444ae2d41dc57d317dd5d1ce95fda7bc6c08b107189f
SHA51224649ab70c100dbfee793aaa1e18ebf2e7edcb63b573a8769b3fa7ae1eaee09eb517fb06c22a92547e13fa5d5457aff9a0fad2a1636fa541811a64deaf8216d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aed3a28a84e8ca17a6b33febe51580c5
SHA11643473fba852b6ab8cebd06429ad98f1e597ba5
SHA2569e54140f627d130ce50a6c1da4bc576b3b545b5792f347f205cbccdc0b326d9a
SHA512adfa2defc1b18a997ee1455952705e84781542197d2bac2f5c36b02a645846a392326f2b9088f90d8fa57b05aa7e9a82a62a42e6b747026f4fe9c07a053fbb33
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55836930d57bf11fcb5bae35e5405ab5c
SHA19d704cb7c506ab5e1e0a5cff668ae3d4625367a3
SHA256b06bc17ac619de0e89c24b5220412d300392cab5593ff998442b2ce800162f78
SHA512a387d4e811011167681ee6ddf137ad8b102593fb86c7e51968cdce845dacf7e0211b6bb4e0f862933c7ab0c65070ad1eadccd5251241ad4f1ead2cc694e54d35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD545fe955b17a9bc68d2b12b65349c8080
SHA1cfceb4e4092ddc819bb004be7bc2e7874efe653b
SHA2566326e2150cc6e641ec21be6c62bd3780e2bcb402f01dbfbc4aaaa7237b5cf906
SHA5127ad694b3b8752da315499a8a30206eca8dd1f19238328c74c639899557d88e893333c925258cf3a034dc97af492bc963dd6ddb93dd940d692f7abd77383db40c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD588d27f286f8bfee801d052228a265d3d
SHA11ec11da792c48e21026934c2a3e14d9425afbaa9
SHA2560ca8eb7ae8b75916e6173c5bb875bd323fddb62394764c8531a83a3a48f58010
SHA5125c89f7598638afe878e13280991f28f6fca757d2098ac02754e48678c97828fd84a9703a352a71e903a7c4889cdb2d1c6ac138592bc54ebce975606ae426162d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54608b3576f04bb94f9bb49991f2863e2
SHA1dcfc80263443bf567b30dc87ab0cd03564e62a25
SHA25648718387901f723fe4af641046e004ccfcde3e9e12f0c5a0a149de682ac30f06
SHA5120a688b71a5e3b45d78f2242397c52ac27c1fd53401be383d71aaa9c69ad1135eb654b483edc0c83ea3f64d3514c9e5ed6f6092dd67588e3bcc8846bc1c401710
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5685c009d9ffab67af25a1d37be954e27
SHA1350cdcec1e31093156e608e43f9ad87a59ca21d3
SHA2569f68f039ea60fa08369dfda4f5a1c2579ed177d2fd8a3b329a14627b5a407c41
SHA512738844c41daf8b35afe066a0a6863292baf471a9f22643d1d2f1f6af5a07cfdb8cacb680bed81bf75b387e93677d966a56d105d07fd3de366be63f2cc4d20d60
-
Filesize
220B
MD50bd1bf6a79a4b742fb22af22ec5b42e4
SHA10ed94c0e28e3527cd4644b89d6c1241c0635c71e
SHA256eb0305f75aac4b8fa40f376da2eb309df30cd877c26b1861524e623db671a973
SHA512f41fae26577d29dc7ac64880c9ff60e9182b343a3957313197cd5d19d12e82803beca5c675d2fd5bab7558518c55fa3e7e9dff8f617f13eb85e13c7f91777856
-
Filesize
220B
MD54f915bfcccc9939204839fde534c267f
SHA1fd79a867eb88f859ea4cd9d8def93f648b4c4837
SHA256fcc0eb558cc976585dc3de87b047a45957c5869d9335bac6ae97d4b8fa2db048
SHA512fc7869acac34bd95b7dfe683e9030be7a91f5c824e482bb3070fc7e9dfedfed67ae86dc33521bf8bcfcc48ce6c860caa67f0e2f7ed46877e7d31dd639f0898d4
-
Filesize
220B
MD57342419e07568786296fb42ad5dadabb
SHA171e99464a0cdc66e6851e4dbc95f8c6cb2fa3e19
SHA2568bec77f4c63a913e00c101cbad42737a68f37a52d0a44ffa9b55a73e019be16e
SHA512d5fea432f356a826d8c92781376a0755b3df885a1c6306156717596bfbd2eb2c5cd1df6ee931b156819b707dccc33b93469cf6594b46f0ebeed6e4e6c62bf78b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
220B
MD54f43611153fecbfd131f1645a1905a4d
SHA1b051c33856cc9fbd63909e1bf8a45a46d23a8c53
SHA256a09c74d72111647250fe725fc75d4cd4b90daed8cc70152d87afade141ccdeca
SHA512b759d7241c2f5537006d7f0f6e910b9b0fec0e16acee49756c69ac330edae8cfbfb71d29440f98ecd53c7a2bb28448d72a1a8c9bc8a14f4ec255e1ae9e1b6982
-
Filesize
220B
MD50177b547f78c4d51d670741ea21a33e8
SHA1c17e6bd1d8ca7c6ecdd851ecd4beed36b36682ef
SHA256b568c7343b45ef954acd63e197f82974f73c0dd7bc630ed4d03e8b393bafda7c
SHA5122bda665f84d1ed907d7c9e65c365983f2d199696d2a29cc619d6aaa153c8984b93dbaf2721ec784d47d14fa6ce05ad63acb0ff96ad17ffe2a0b1ef9393108981
-
Filesize
220B
MD52f2fe17a91d545f8b1aee23b4f162031
SHA10b3f575d999d4bca19ab0d39b4b3a48167663ae0
SHA2563a71b53505bb469f3196b13a16950b72e9ab756d4c56c14f36ec8aba939a2e6b
SHA512f80104d178fda1bbab6af71d55c374d0be9714b8a8e378ee21e410f08e9b702eada16a5bde63554c71fc62a9c5379e7bc35c3a3851336a01baa43786b84baa43
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
220B
MD5cc71b7254813fdb096fb4cef05fc3149
SHA1fa5deb3def5f88efef2e530cd13cac0e1097372f
SHA256861a65a8d56a527da5f5c516115cae27509b84163fbc8fd1bdc1144e9b21f151
SHA51214f7767caf2058450c918156991b3ec0fb573a90d134ed45412c49c95cac23f27dce2e62e006946a70312221367c3f822efe314154e41bb309bf4e3019965a72
-
Filesize
220B
MD5af0acbe861a69c8487cbe268352d1882
SHA145f7a5e83f5f9c70226fc91cb9072fa5a0aa1be3
SHA256a2c005b0a613f32e256b6b3875ede65f0ac9431ed85389b06972430332677b34
SHA5120d6c0aa4ca75283f87830d791b88f42b43deb0c6878674e7d380c156d8160bc4b106ad511fc409a52e35e26666263f04631333038da93846013401eadf33f7ae
-
Filesize
220B
MD58fac53bc30fd6b04ac4e6df70e428d97
SHA1ae3a1ec6dd37e7efd452d3a005beb8c7fd60b496
SHA2567d2b5f4aa8c840b201f369af5cefc361f8d9560d55e388b12a1fea516d07b1a2
SHA512031096d72728132f9f457128d0372099ee2d0723881082ae3de408860f29d316724105ecb3051dce06f34d74714b888063082daaefb7a3a428cb92310e093024
-
Filesize
220B
MD5c0e8b8e93af21f49b4177f2869770e45
SHA1329b252f27ae072d23ac25f8126ef498cc47959b
SHA256dabe4d5fa5d0a76184feaa9b8fc37beb7cc0f63b754a2e21b3ebc423bae91093
SHA51293fbb822bd0eafe059b3a60c2900c6c1fcfeee1c539377e19092cf4cce1d157a643d925569182ab9148ba5a66d76beaf1dc947495546d2492c31415a55f0e86e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52f2e5dd47aceec6b944ac8b8752a0a9d
SHA1465d473258db4898cc911d27ab49b6b0b9631991
SHA256f300a7cfd8ebb94baf7c4a66c5b5879c89eba59299a42cdcf9697e0fe191801a
SHA512d81a083c8d1f6de4b81eba6ba276091676a650b0ef31e340366b3c95c17792b1592c5d88cce4b6feead6f16c7102593279db77669c4d2307da0a5c44ec7c8705
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394