Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 23:05
Behavioral task
behavioral1
Sample
JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe
-
Size
1.3MB
-
MD5
a4106fa2800a9cd95a6d945c73a0e593
-
SHA1
5ea1b38b8ceebc411729307e935b722f0ab97487
-
SHA256
7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf
-
SHA512
0d16cac3d2ff5ab32dc6c56aef4179761db2dcb72a95a369ccefbc5312754a3e1a3cfabbc33a70feb85a595a75a731d2d960748d284a30aaf7858b0a852253b4
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 612 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2664 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2664 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000015d5b-12.dat dcrat behavioral1/memory/2912-13-0x00000000003B0000-0x00000000004C0000-memory.dmp dcrat behavioral1/memory/3436-157-0x0000000000E40000-0x0000000000F50000-memory.dmp dcrat behavioral1/memory/1764-394-0x0000000000300000-0x0000000000410000-memory.dmp dcrat behavioral1/memory/1964-454-0x00000000012D0000-0x00000000013E0000-memory.dmp dcrat behavioral1/memory/2700-573-0x0000000001300000-0x0000000001410000-memory.dmp dcrat behavioral1/memory/3096-633-0x0000000000080000-0x0000000000190000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2644 powershell.exe 2708 powershell.exe 2720 powershell.exe 2604 powershell.exe 2612 powershell.exe 808 powershell.exe 584 powershell.exe 2064 powershell.exe 756 powershell.exe 2820 powershell.exe 2816 powershell.exe 2900 powershell.exe 2596 powershell.exe 1680 powershell.exe 1844 powershell.exe 768 powershell.exe 2888 powershell.exe 2764 powershell.exe 572 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2912 DllCommonsvc.exe 3436 lsass.exe 3864 lsass.exe 1580 lsass.exe 1040 lsass.exe 1764 lsass.exe 1964 lsass.exe 3748 lsass.exe 2700 lsass.exe 3096 lsass.exe 3212 lsass.exe 908 lsass.exe -
Loads dropped DLL 2 IoCs
pid Process 2752 cmd.exe 2752 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 22 raw.githubusercontent.com 28 raw.githubusercontent.com 35 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 18 raw.githubusercontent.com 4 raw.githubusercontent.com 15 raw.githubusercontent.com 25 raw.githubusercontent.com 31 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\Windows Defender\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files\Java\smss.exe DllCommonsvc.exe File created C:\Program Files\Java\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Windows Defender\OSPPSVC.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Registration\CRMLog\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\a76d7bf15d8370 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2428 schtasks.exe 1012 schtasks.exe 1060 schtasks.exe 2192 schtasks.exe 2260 schtasks.exe 2792 schtasks.exe 1708 schtasks.exe 2044 schtasks.exe 2376 schtasks.exe 1744 schtasks.exe 2416 schtasks.exe 544 schtasks.exe 1912 schtasks.exe 612 schtasks.exe 1632 schtasks.exe 2632 schtasks.exe 1820 schtasks.exe 1572 schtasks.exe 980 schtasks.exe 1748 schtasks.exe 2796 schtasks.exe 1580 schtasks.exe 1492 schtasks.exe 896 schtasks.exe 996 schtasks.exe 900 schtasks.exe 2576 schtasks.exe 316 schtasks.exe 448 schtasks.exe 1600 schtasks.exe 2836 schtasks.exe 236 schtasks.exe 3052 schtasks.exe 1564 schtasks.exe 1712 schtasks.exe 860 schtasks.exe 1728 schtasks.exe 2832 schtasks.exe 836 schtasks.exe 1284 schtasks.exe 1864 schtasks.exe 1716 schtasks.exe 2564 schtasks.exe 2960 schtasks.exe 3000 schtasks.exe 2724 schtasks.exe 2944 schtasks.exe 1592 schtasks.exe 2476 schtasks.exe 2824 schtasks.exe 2968 schtasks.exe 2464 schtasks.exe 2084 schtasks.exe 3016 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 2912 DllCommonsvc.exe 2912 DllCommonsvc.exe 2912 DllCommonsvc.exe 2912 DllCommonsvc.exe 2912 DllCommonsvc.exe 2912 DllCommonsvc.exe 2912 DllCommonsvc.exe 2912 DllCommonsvc.exe 2912 DllCommonsvc.exe 2912 DllCommonsvc.exe 2912 DllCommonsvc.exe 1680 powershell.exe 2820 powershell.exe 584 powershell.exe 2816 powershell.exe 2764 powershell.exe 2604 powershell.exe 2888 powershell.exe 2708 powershell.exe 2064 powershell.exe 2596 powershell.exe 808 powershell.exe 2720 powershell.exe 2644 powershell.exe 1844 powershell.exe 2900 powershell.exe 2612 powershell.exe 756 powershell.exe 768 powershell.exe 572 powershell.exe 3436 lsass.exe 3864 lsass.exe 1580 lsass.exe 1040 lsass.exe 1764 lsass.exe 1964 lsass.exe 3748 lsass.exe 2700 lsass.exe 3096 lsass.exe 3212 lsass.exe 908 lsass.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2912 DllCommonsvc.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 584 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 808 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeDebugPrivilege 756 powershell.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 3436 lsass.exe Token: SeDebugPrivilege 3864 lsass.exe Token: SeDebugPrivilege 1580 lsass.exe Token: SeDebugPrivilege 1040 lsass.exe Token: SeDebugPrivilege 1764 lsass.exe Token: SeDebugPrivilege 1964 lsass.exe Token: SeDebugPrivilege 3748 lsass.exe Token: SeDebugPrivilege 2700 lsass.exe Token: SeDebugPrivilege 3096 lsass.exe Token: SeDebugPrivilege 3212 lsass.exe Token: SeDebugPrivilege 908 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2808 1700 JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe 30 PID 1700 wrote to memory of 2808 1700 JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe 30 PID 1700 wrote to memory of 2808 1700 JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe 30 PID 1700 wrote to memory of 2808 1700 JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe 30 PID 2808 wrote to memory of 2752 2808 WScript.exe 31 PID 2808 wrote to memory of 2752 2808 WScript.exe 31 PID 2808 wrote to memory of 2752 2808 WScript.exe 31 PID 2808 wrote to memory of 2752 2808 WScript.exe 31 PID 2752 wrote to memory of 2912 2752 cmd.exe 33 PID 2752 wrote to memory of 2912 2752 cmd.exe 33 PID 2752 wrote to memory of 2912 2752 cmd.exe 33 PID 2752 wrote to memory of 2912 2752 cmd.exe 33 PID 2912 wrote to memory of 2708 2912 DllCommonsvc.exe 89 PID 2912 wrote to memory of 2708 2912 DllCommonsvc.exe 89 PID 2912 wrote to memory of 2708 2912 DllCommonsvc.exe 89 PID 2912 wrote to memory of 2720 2912 DllCommonsvc.exe 90 PID 2912 wrote to memory of 2720 2912 DllCommonsvc.exe 90 PID 2912 wrote to memory of 2720 2912 DllCommonsvc.exe 90 PID 2912 wrote to memory of 2820 2912 DllCommonsvc.exe 91 PID 2912 wrote to memory of 2820 2912 DllCommonsvc.exe 91 PID 2912 wrote to memory of 2820 2912 DllCommonsvc.exe 91 PID 2912 wrote to memory of 2816 2912 DllCommonsvc.exe 92 PID 2912 wrote to memory of 2816 2912 DllCommonsvc.exe 92 PID 2912 wrote to memory of 2816 2912 DllCommonsvc.exe 92 PID 2912 wrote to memory of 2888 2912 DllCommonsvc.exe 93 PID 2912 wrote to memory of 2888 2912 DllCommonsvc.exe 93 PID 2912 wrote to memory of 2888 2912 DllCommonsvc.exe 93 PID 2912 wrote to memory of 2900 2912 DllCommonsvc.exe 94 PID 2912 wrote to memory of 2900 2912 DllCommonsvc.exe 94 PID 2912 wrote to memory of 2900 2912 DllCommonsvc.exe 94 PID 2912 wrote to memory of 1680 2912 DllCommonsvc.exe 95 PID 2912 wrote to memory of 1680 2912 DllCommonsvc.exe 95 PID 2912 wrote to memory of 1680 2912 DllCommonsvc.exe 95 PID 2912 wrote to memory of 2596 2912 DllCommonsvc.exe 96 PID 2912 wrote to memory of 2596 2912 DllCommonsvc.exe 96 PID 2912 wrote to memory of 2596 2912 DllCommonsvc.exe 96 PID 2912 wrote to memory of 2604 2912 DllCommonsvc.exe 97 PID 2912 wrote to memory of 2604 2912 DllCommonsvc.exe 97 PID 2912 wrote to memory of 2604 2912 DllCommonsvc.exe 97 PID 2912 wrote to memory of 2612 2912 DllCommonsvc.exe 98 PID 2912 wrote to memory of 2612 2912 DllCommonsvc.exe 98 PID 2912 wrote to memory of 2612 2912 DllCommonsvc.exe 98 PID 2912 wrote to memory of 2644 2912 DllCommonsvc.exe 99 PID 2912 wrote to memory of 2644 2912 DllCommonsvc.exe 99 PID 2912 wrote to memory of 2644 2912 DllCommonsvc.exe 99 PID 2912 wrote to memory of 2764 2912 DllCommonsvc.exe 100 PID 2912 wrote to memory of 2764 2912 DllCommonsvc.exe 100 PID 2912 wrote to memory of 2764 2912 DllCommonsvc.exe 100 PID 2912 wrote to memory of 1844 2912 DllCommonsvc.exe 101 PID 2912 wrote to memory of 1844 2912 DllCommonsvc.exe 101 PID 2912 wrote to memory of 1844 2912 DllCommonsvc.exe 101 PID 2912 wrote to memory of 768 2912 DllCommonsvc.exe 102 PID 2912 wrote to memory of 768 2912 DllCommonsvc.exe 102 PID 2912 wrote to memory of 768 2912 DllCommonsvc.exe 102 PID 2912 wrote to memory of 808 2912 DllCommonsvc.exe 103 PID 2912 wrote to memory of 808 2912 DllCommonsvc.exe 103 PID 2912 wrote to memory of 808 2912 DllCommonsvc.exe 103 PID 2912 wrote to memory of 572 2912 DllCommonsvc.exe 104 PID 2912 wrote to memory of 572 2912 DllCommonsvc.exe 104 PID 2912 wrote to memory of 572 2912 DllCommonsvc.exe 104 PID 2912 wrote to memory of 584 2912 DllCommonsvc.exe 105 PID 2912 wrote to memory of 584 2912 DllCommonsvc.exe 105 PID 2912 wrote to memory of 584 2912 DllCommonsvc.exe 105 PID 2912 wrote to memory of 2064 2912 DllCommonsvc.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d6a5926256a061561a63fe8e3599cb411daf8f8e3daaae9eb9b4f52ffb0f6cf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u2O42e30oF.bat"5⤵PID:2056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2932
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"7⤵PID:3792
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3832
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat"9⤵PID:1608
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1708
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat"11⤵PID:2972
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2980
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat"13⤵PID:2892
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2224
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"15⤵PID:2036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3068
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat"17⤵PID:3676
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:3716
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"19⤵PID:2164
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2128
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"21⤵PID:2344
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1600
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"23⤵PID:3104
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1892
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"25⤵PID:952
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1844
-
-
C:\Users\Default User\lsass.exe"C:\Users\Default User\lsass.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ff068badad8b371052dd794f51efb3f6
SHA1be2fcdf5f2482f85f87ca0011ca14df3d11c06ec
SHA2561b7aa2bf1a4a904b675b03cda5210caf29dc8a6745a456dc0513e4012f1104d3
SHA512b7b9b4ba45403fa6f52c115b0c9143a2acd141f078d95a79efbb7732e45f4cfc097bb0a9dd133b0e70427ba2afd01e5777b7357546085c7f6846820bcfe8be1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a3bf2f20c9c6a4e11ccba7ed9823ce9b
SHA193819c395993370d120ec7e167c294d16a76f7f2
SHA256d11bb9ed1546f088c4bd74d7061691b4cd6a436ff1c1ac95a88d3443b1d89eda
SHA512057df1a7968a2dd8400a4f5e97a46bcc9bb358d7eb1ad032556664be0b8ce7d22184964c5832ddb267fb2f0edd1db74601cb3457c7a689e8ca6bfd70f04395b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed04a02754a2961e26d04ebdbebf9ace
SHA14665dfdf706e6aefa99935c2b9a15becf05d6a6d
SHA2561de9abca5a896f7a05d6abaf8faf60453cb55a52225139695631b8d7a5f07741
SHA512082485b40684ebf7bfeeb084a18a4e4a62537d2b75949a51a7fb52fc05089ff211a6c701aa65ed238a1267f9194b32a59c7de51441e347f429ee405d9a285312
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52bcbf49519c737d62e371df9659b1950
SHA1571fa398462a277aa8e0279fe73b38f1a1347690
SHA2563d324b9d7d1d119b5b397cf30c0970209e88a25158f866ed9f22cc8410afb59e
SHA5128ed10c3577924816424391a9dc367302e204d55939105d6f4b23f8660d2c616d3d8f6604378dfe54e7e84f3741c51f31d45f7de2dad62222df9166235133b86e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD541210c541e299251814e08a97b5dac38
SHA1f0b14a577689660d021af9acc8b8b0a380335d59
SHA256e084b45517ab0e0f7020b971730ca6ec4b3732501461b56abec3a11ef21fc6d2
SHA5120ba247362a1cde640b0d4ec5719ae2c0cf3924820717f4034a4e0f0df9e9e691b88aae676039fd7ba99798bdf0e8a013174b3e65804eb09515571e84559a0a84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD593fa0698941dd893f191d7d26fdaab5c
SHA19d000e6a8bf1fdda2037019eb7317bf6d3d89345
SHA256f671ee0c461e3e5324d8c42703f0770d1cce938ba3405c8fe96599aa7afb8355
SHA51285ced1f449b8f5ce66b358fb171aac9383927f80d7bc4ae9e9c421e0c3e2e0b8c0347913d940db468173e66314c84dabf7a109601084c17c2b08ce938231359a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD541f36cd81dd41e9fdf964f95fa1d374a
SHA18fb6a011483a2420f3288907fe7e4ac2417810eb
SHA256360c40980abbe0919a19071f8fa65142f20b230faf2149f864dcfbde09d03695
SHA5121c9b542a63b031f7dfd228dbdd59ce7f259fb3302e65cb920e21acbd3161cdae22da089972cfe9934239183370b4b442cd3a7cfed7c01652786817b1aba60336
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56dbfe0345b50f9f46289c11b6b545ed5
SHA13e5bea5021be3b50330a2637e40742c5436a66f4
SHA2563e4a99d8b696f0bef3a9d47dc8e184f38853425e8118b34988cd49442348a088
SHA51239184ec628c2269b838d627e318bd078922988977dbfe781e16f3a857a45e6c9a00df72873b6c19059846b38b526848d99712789fb34b7eaba5af99cc80c88c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5548d8377f21ed0a90e2e85e7b47dbd93
SHA1f8aeac9e56987e018b9abaa3dfdbd55b3e37f699
SHA256297de764974fcb01adbdeaee12657a3c385687611216675daa747a65fae86ae6
SHA5127a26f759922e9fef4b4cfded13f59d1c5a006fbabe1e51689b241b9824fcac89929150d92183a5858e4c614fe7d6c53c7b55a542f128ea2321c65e3c3932db47
-
Filesize
196B
MD5d77517c1a51bad2dec8586922f57aa00
SHA1b96b3419aa2b972370710ba8261d000fe5c2af60
SHA25673ec2600b71ab8efb37e7ff7697f32656a800b5ae158a75995052eae2cfde274
SHA512a04cc363ced306aa6023c50e946eb11c7213b1e03fdac1fafb3c309d90d39c86ef99c8023a1c2cde1aef46620299c99e32420c920aed7742e6e7ccb8dd7bc6d8
-
Filesize
196B
MD58930b9aff083ff84d272c85ceaeb44e8
SHA1d17c0414d50cf3cb640f3e248469f4c1d2d6668e
SHA256802a753d14d2f00745aac9a14b51a5200d28a07038844d564a05d7429ca45b13
SHA5124772b337e0763c426a3bb5138e8b0e436a01c143dced931a66672340ea708031dcb9589b433d8ec339fe02c37591d7c6215f398e714a5f573096a740fddd89b3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
196B
MD5952d82c198584a88fb3b7a9b4d78109e
SHA10e27c9cd41523d424e85051da7e536ce3fa509d3
SHA256fbafd44bbcd71bcfdc4a03d07459d6ea59cf099759e3fccde1609cadb8ade975
SHA51245fa62710a691c1e224e06698db01618fd2fd85d60de7467a199fda5424b2f6f6293f1b35557786b8b16350a2ec07b21357890c7f7690d9de63e4b661e9a13cd
-
Filesize
196B
MD5f786834da8e87fa1a736f8d6861c27b8
SHA12eaf703a38535cf55a1b9235e4807334f7311e01
SHA256f91f7e76460a7a4179eba1e9841461087202d048824279b93e0311f1f5043558
SHA51270160d1dc86288b679973f4e489cb65ec15862e4a4fee1bea8fedd49ecca87630ec0f111cd391a28cf693f65056c17157d0003e1d19b2d39fb1680e230ed03ef
-
Filesize
196B
MD5c9f4c5958b1ca849f2d2bb542c8cc289
SHA1ba38ff0c86b9f25214e6fda64a33295e846a71e4
SHA256bbae72cb797e1ce9f20140e0613dafa71ee1e84ccc7d0c7e3a1255830ca392fc
SHA512fb10a6c270eb0c0f9bd322dd02c0e9a46c652b1cae833616b6eccb2a922ba3190d0304516b55514e42ec5e61f1c6ad5654ad56d106a98008f8b80c4ec351a06a
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
196B
MD56f8bac3463e469444501d1900061e0c3
SHA1b989196aa3984d7e213f8eb78ebcfbaf09c54013
SHA256a27db04682bb270a1683ef79850a18938a4342e4af1037b86a033971e6a8b064
SHA512724bd05382d13d2288ad5de77dc6ed841cb952734762789940cf7918b7318df3cc1248ece6b1b28acad4ed17ed942d7c674f770430c07a33547c52733cfe2cfb
-
Filesize
196B
MD5d31139be0dea1299b99ffe26c795a24a
SHA1fb861300658ed938f2aa8b8dc4360bb83f3943b0
SHA2568e7f14e6725eb4d8691ebf221fa5a7a2c0717acf7456de28e4fa6f51608edcfd
SHA512b1ccf6b53e89ca780f3eb3e42fdb0c18521c6b91b71dcccd55ff5c76c23c7f0b200b10e98eb8883f66a6a7ed76a5cbcec30f6d3a147b79144916267ce28e45d4
-
Filesize
196B
MD57747d826daa5057e64a79a2da3f5f86c
SHA1f4352a5d96460a90b45d7a2214a25878cf834620
SHA2562d62e2c41d41b5aa905eb59e6c73f9a9f0ad0e73e80d153eb90f26788defcf2d
SHA5121764ce96a85ce6e5bae83e2bf4845bfa8093ec0274e1bd8c544f4bbb0ea38627f11ecbca5ac1b4b5691541b382c7aabfb11898f8715d7696c188489bb077941c
-
Filesize
196B
MD574e438fd706c89d27fdb423ae2f814e9
SHA1eda31daf4b3553ffa4b3d27fbfebd5ef421f4f44
SHA256fd760abdc343dd15998caed4ed3b40b9e687cf68cdf3d89cedcb380194d715e8
SHA512597a93c5029136f819af76633a8ccc692abb62072c10b0bd33d1f90244f6e57b199e7d04ed499ac2982f4185473e119941e3d7967082ea23794c231ef3d40980
-
Filesize
196B
MD53cf590699163c348669fbe40895766a4
SHA1973331cce7f70adb28e93db151127de4128a795f
SHA256fde09a8243a4979b2bbccfb9152a631f822c5f33a2738f8c60aa03f6ae6f6ee2
SHA512df7c1eb5c5d78f5734a844eb460e2131ab7372084517f285697f801ee4c877dee0c6d49962286db65187a23344cb10430339ac83d09181879c3c9ed69341af65
-
Filesize
196B
MD5738e8a32c7cfc8e348ade8d4c7fa94f2
SHA17616c75c233abdd35845665c6ade6cc81edc877e
SHA256afb8af4b4cc3df2ab96ff808b4bad64eb74961803c929df39fe0e4231ac92bc7
SHA512ec526e1ba9c1bee746b2197ed8bf5e072bddd517984c3102b8a8966f4168f6cb0d6f06ae38a872b1f4810b16b8e2041d3b69b99dd6462a8a983a648106c69a4d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58ffcc75309d5d0730e65b82b1a87a8c0
SHA1a8491fa0b99ded69595f77953c7de642f3220273
SHA2565785083fea89b52a41bc5a0373d7958491fa21023e48d2ecb06a915786b219ae
SHA51289c559f6da7967d397e8dec79c406ef47e8bf549ab2c1e9ec922e8a83055c067585542f5af72aa1abdcd0b15d5161513b97debec7cba571e7e5063ab75e25caf
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478