Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:49
Behavioral task
behavioral1
Sample
JaffaCakes118_75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07.exe
-
Size
1.3MB
-
MD5
15989978bbe2bbdd23cbf964eb530285
-
SHA1
dd6827e0785ef07ec8a53cc06fe4e632851878ac
-
SHA256
75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07
-
SHA512
9f81232ef8293eda6b4429fbe022e176cda1fe2d9ccf65fc5efd30ad6f7b8de25368923a99a3a0d666b6edc97377ee6ed590327a2195f859b2e7d2f79671162e
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 288 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 524 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2840 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 2840 schtasks.exe 33 -
resource yara_rule behavioral1/files/0x000700000001756b-9.dat dcrat behavioral1/memory/2852-13-0x00000000002A0000-0x00000000003B0000-memory.dmp dcrat behavioral1/memory/2508-138-0x0000000000830000-0x0000000000940000-memory.dmp dcrat behavioral1/memory/760-197-0x0000000000AF0000-0x0000000000C00000-memory.dmp dcrat behavioral1/memory/744-257-0x0000000000BC0000-0x0000000000CD0000-memory.dmp dcrat behavioral1/memory/1968-317-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/2508-377-0x00000000003C0000-0x00000000004D0000-memory.dmp dcrat behavioral1/memory/2060-437-0x0000000000B50000-0x0000000000C60000-memory.dmp dcrat behavioral1/memory/2608-497-0x0000000001140000-0x0000000001250000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1600 powershell.exe 2436 powershell.exe 2488 powershell.exe 2976 powershell.exe 2756 powershell.exe 2864 powershell.exe 2888 powershell.exe 2268 powershell.exe 2836 powershell.exe 2116 powershell.exe 2428 powershell.exe 2916 powershell.exe 3012 powershell.exe 2812 powershell.exe 3020 powershell.exe 1708 powershell.exe 1820 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2852 DllCommonsvc.exe 2508 wininit.exe 760 wininit.exe 744 wininit.exe 1968 wininit.exe 2508 wininit.exe 2060 wininit.exe 2608 wininit.exe 1492 wininit.exe 1804 wininit.exe 792 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 2996 cmd.exe 2996 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 19 raw.githubusercontent.com 25 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\de-DE\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\smss.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\de-DE\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\System.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6203df4a6bafc7 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2572 schtasks.exe 3016 schtasks.exe 1980 schtasks.exe 896 schtasks.exe 1480 schtasks.exe 2236 schtasks.exe 2584 schtasks.exe 572 schtasks.exe 2324 schtasks.exe 1772 schtasks.exe 1048 schtasks.exe 744 schtasks.exe 1352 schtasks.exe 1012 schtasks.exe 524 schtasks.exe 756 schtasks.exe 700 schtasks.exe 2184 schtasks.exe 1588 schtasks.exe 2364 schtasks.exe 2340 schtasks.exe 3036 schtasks.exe 2620 schtasks.exe 2516 schtasks.exe 1752 schtasks.exe 2008 schtasks.exe 2172 schtasks.exe 1224 schtasks.exe 1508 schtasks.exe 1248 schtasks.exe 1092 schtasks.exe 740 schtasks.exe 2100 schtasks.exe 1564 schtasks.exe 2744 schtasks.exe 2792 schtasks.exe 2608 schtasks.exe 288 schtasks.exe 2612 schtasks.exe 2400 schtasks.exe 2080 schtasks.exe 1300 schtasks.exe 2536 schtasks.exe 1160 schtasks.exe 3048 schtasks.exe 3032 schtasks.exe 2044 schtasks.exe 2200 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2852 DllCommonsvc.exe 2852 DllCommonsvc.exe 2852 DllCommonsvc.exe 1600 powershell.exe 2488 powershell.exe 2268 powershell.exe 2116 powershell.exe 2756 powershell.exe 3020 powershell.exe 2812 powershell.exe 2916 powershell.exe 3012 powershell.exe 2976 powershell.exe 2428 powershell.exe 2888 powershell.exe 2864 powershell.exe 1820 powershell.exe 1708 powershell.exe 2436 powershell.exe 2836 powershell.exe 2508 wininit.exe 760 wininit.exe 744 wininit.exe 1968 wininit.exe 2508 wininit.exe 2060 wininit.exe 2608 wininit.exe 1492 wininit.exe 1804 wininit.exe 792 wininit.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2852 DllCommonsvc.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 2508 wininit.exe Token: SeDebugPrivilege 760 wininit.exe Token: SeDebugPrivilege 744 wininit.exe Token: SeDebugPrivilege 1968 wininit.exe Token: SeDebugPrivilege 2508 wininit.exe Token: SeDebugPrivilege 2060 wininit.exe Token: SeDebugPrivilege 2608 wininit.exe Token: SeDebugPrivilege 1492 wininit.exe Token: SeDebugPrivilege 1804 wininit.exe Token: SeDebugPrivilege 792 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2216 3012 JaffaCakes118_75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07.exe 29 PID 3012 wrote to memory of 2216 3012 JaffaCakes118_75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07.exe 29 PID 3012 wrote to memory of 2216 3012 JaffaCakes118_75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07.exe 29 PID 3012 wrote to memory of 2216 3012 JaffaCakes118_75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07.exe 29 PID 2216 wrote to memory of 2996 2216 WScript.exe 30 PID 2216 wrote to memory of 2996 2216 WScript.exe 30 PID 2216 wrote to memory of 2996 2216 WScript.exe 30 PID 2216 wrote to memory of 2996 2216 WScript.exe 30 PID 2996 wrote to memory of 2852 2996 cmd.exe 32 PID 2996 wrote to memory of 2852 2996 cmd.exe 32 PID 2996 wrote to memory of 2852 2996 cmd.exe 32 PID 2996 wrote to memory of 2852 2996 cmd.exe 32 PID 2852 wrote to memory of 2812 2852 DllCommonsvc.exe 82 PID 2852 wrote to memory of 2812 2852 DllCommonsvc.exe 82 PID 2852 wrote to memory of 2812 2852 DllCommonsvc.exe 82 PID 2852 wrote to memory of 3020 2852 DllCommonsvc.exe 83 PID 2852 wrote to memory of 3020 2852 DllCommonsvc.exe 83 PID 2852 wrote to memory of 3020 2852 DllCommonsvc.exe 83 PID 2852 wrote to memory of 1600 2852 DllCommonsvc.exe 85 PID 2852 wrote to memory of 1600 2852 DllCommonsvc.exe 85 PID 2852 wrote to memory of 1600 2852 DllCommonsvc.exe 85 PID 2852 wrote to memory of 1708 2852 DllCommonsvc.exe 88 PID 2852 wrote to memory of 1708 2852 DllCommonsvc.exe 88 PID 2852 wrote to memory of 1708 2852 DllCommonsvc.exe 88 PID 2852 wrote to memory of 2268 2852 DllCommonsvc.exe 89 PID 2852 wrote to memory of 2268 2852 DllCommonsvc.exe 89 PID 2852 wrote to memory of 2268 2852 DllCommonsvc.exe 89 PID 2852 wrote to memory of 2916 2852 DllCommonsvc.exe 90 PID 2852 wrote to memory of 2916 2852 DllCommonsvc.exe 90 PID 2852 wrote to memory of 2916 2852 DllCommonsvc.exe 90 PID 2852 wrote to memory of 2436 2852 DllCommonsvc.exe 91 PID 2852 wrote to memory of 2436 2852 DllCommonsvc.exe 91 PID 2852 wrote to memory of 2436 2852 DllCommonsvc.exe 91 PID 2852 wrote to memory of 2488 2852 DllCommonsvc.exe 94 PID 2852 wrote to memory of 2488 2852 DllCommonsvc.exe 94 PID 2852 wrote to memory of 2488 2852 DllCommonsvc.exe 94 PID 2852 wrote to memory of 3012 2852 DllCommonsvc.exe 95 PID 2852 wrote to memory of 3012 2852 DllCommonsvc.exe 95 PID 2852 wrote to memory of 3012 2852 DllCommonsvc.exe 95 PID 2852 wrote to memory of 1820 2852 DllCommonsvc.exe 96 PID 2852 wrote to memory of 1820 2852 DllCommonsvc.exe 96 PID 2852 wrote to memory of 1820 2852 DllCommonsvc.exe 96 PID 2852 wrote to memory of 2836 2852 DllCommonsvc.exe 97 PID 2852 wrote to memory of 2836 2852 DllCommonsvc.exe 97 PID 2852 wrote to memory of 2836 2852 DllCommonsvc.exe 97 PID 2852 wrote to memory of 2976 2852 DllCommonsvc.exe 99 PID 2852 wrote to memory of 2976 2852 DllCommonsvc.exe 99 PID 2852 wrote to memory of 2976 2852 DllCommonsvc.exe 99 PID 2852 wrote to memory of 2116 2852 DllCommonsvc.exe 102 PID 2852 wrote to memory of 2116 2852 DllCommonsvc.exe 102 PID 2852 wrote to memory of 2116 2852 DllCommonsvc.exe 102 PID 2852 wrote to memory of 2428 2852 DllCommonsvc.exe 103 PID 2852 wrote to memory of 2428 2852 DllCommonsvc.exe 103 PID 2852 wrote to memory of 2428 2852 DllCommonsvc.exe 103 PID 2852 wrote to memory of 2888 2852 DllCommonsvc.exe 104 PID 2852 wrote to memory of 2888 2852 DllCommonsvc.exe 104 PID 2852 wrote to memory of 2888 2852 DllCommonsvc.exe 104 PID 2852 wrote to memory of 2864 2852 DllCommonsvc.exe 105 PID 2852 wrote to memory of 2864 2852 DllCommonsvc.exe 105 PID 2852 wrote to memory of 2864 2852 DllCommonsvc.exe 105 PID 2852 wrote to memory of 2756 2852 DllCommonsvc.exe 106 PID 2852 wrote to memory of 2756 2852 DllCommonsvc.exe 106 PID 2852 wrote to memory of 2756 2852 DllCommonsvc.exe 106 PID 2852 wrote to memory of 888 2852 DllCommonsvc.exe 116 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_75412fa5934540517b4fbb1a1cacb05370446afbd326cc7087e9c6cf39a94b07.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JmnsDPSvSt.bat"5⤵PID:888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2128
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"7⤵PID:1780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1760
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"9⤵PID:1304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2688
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"11⤵PID:1352
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1848
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"13⤵PID:2192
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1716
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"15⤵PID:1012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3048
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"17⤵PID:288
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2080
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"19⤵PID:2136
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2672
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat"21⤵PID:2348
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:632
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"23⤵PID:2660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1668
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Favorites\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bd1f4112c88840524e388855f5f93b5a
SHA1208d83908b8806c0b275c6566f729653fc59d7f0
SHA256c81ab17344cebea79df814825942c0c10d2b0185c454c8cad03aedbb64d1816e
SHA512d6f141c90d1d9dabde5168b5e5c294b7e6f817e71d8936a57de940e117f37af4b99e4e23d08bbcf8af89cebd3bee1c25734f2be0d086eb0e8bb906e376e53c8f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5162f595bd444716c0ba73265f2f69de5
SHA1cd098015706f32692c38f54d81e778edaca1322e
SHA256da8a300b983a7ae2c879e4f91461efbc069662a55218f3c3f67878458fe8e2c0
SHA512bb8c427907970d72517a714cf219fd587175f98814bc50bb60c05bc4e57e84bf29a99a31f0901dedff23dc91b9880852447b61dadad81a7d28bf76de2eaf0a44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD592d076b349466caec25f3e7966686258
SHA1d80f662f444f6bd80acf9b8282b3b4a26796027a
SHA25698715a64f13bbb1c4f69f8c6892e1cd4bb1f79d82c4838734bf0c651b6ca0ff0
SHA5124aef7493dcc255d6b1cfa1aea10019a98376c13740cdc24ffcc63c77d5140bc65c98020132a94eff92c4b4d912a0fa6bae7ecbbfe9552aa1b4895c3991a72db8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD544dacf91e6f0358390be7b3436e38a40
SHA1e13c0a9aa78f4b6310cdc49b8a84e1de376c8901
SHA2561f367976d45d4a33db62151c3e80ec355abd905e8c6ed3e475e4deb6ea3283bc
SHA51240318fc5be226057555696b08f6ba3e5db1dade86ecc0dd4548ca5db94f695a9f5a919a0a3dd9c1ae3c4869009b141e6b7626be08a4bdba2d2ed30cf48623b20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56dd3b88c238fd48f143f8bf055972210
SHA1d85411358598dd746356c7e878156cdada4a7017
SHA256afd7265899702cbcedb17fc8c74bcb899e4fb1cd3064815215fed40d2546c963
SHA512be0f45b612f3b20bafd01c56cf354abb0a652c9a239871223a9b37615466f4197a36f855ef9661fda68cb3ebd3314ba0c73b87ebe4b10890718021fde98a5aed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5930b07fd58e4b06fb5c8e0030f1ff759
SHA151ab6881e57f49b110d59700b24f09dc408c8365
SHA25670e933c5b743931e1efc4044bbbbbe251e9e9b610d8e99854c257123d83d8a40
SHA51242c9fa899c9eaf67b457fc04f67b5c58c1d28fc463a83eae357afaa44f44e45f67ab0427ae1b59e2142cb269b1c4f2a83757bf1458332a234c7b86bfb43398be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a06e75891f5fd50e5d5784f1d9c1d2ae
SHA1607fa3094144192c4cd9a47e635543b61db81890
SHA25689b97f166bddabf36fea3e7d1435b1e7ee154058b61a61de694a2d76138b526a
SHA512145e3d04449612814438d0ae5f7ee164ed4a5ad4d3392c51e4b0026972e8840a9d6a3962566a899ffad901ec06548dbfe0d58eabf61cdc1f2a4de9283b6188d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD582b815d2dabadec1c53f499ece1e8d15
SHA1fd558519fd4bce2beb7eef452bdafa5115727037
SHA256320a717be7ff791288c1fdb314462fa1a8295991d5a5e88752da7201fa675ae7
SHA5122a16a4f3bed5800fec6c18b75e6c19e1ad285303dd7a408deba940f7f88bf4b23d9ace8952f778842ef89d74bff5bbf0cfbbf16bf83cd7e4fe421159ee7414c7
-
Filesize
194B
MD5f0f83fea6035f773b68067c3bdb9a8ea
SHA171e0c59978f239427aaa73d0efdd6a7a371759a8
SHA25696db92bec6b61de365130fb55e972e9d4a95f4f82089d589893fe64078e6cb43
SHA5123d53480f4fa598a2b0645c4278a661785a1bc37c9dc478a5fafbbe549cc944b79d2bcfb322c07fa7c76c64e6fac46f046eead83a67dfcbd463f35d90205bae31
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
194B
MD5c870585ce0733aa6c412970379200657
SHA1f59dceecab675c3863a23fe28f9d55e73bf39008
SHA25667c00ab9d671da89ade08766762a56e9b6ab589d583284b7a408b9b49a154c99
SHA512d080755c7adc91431e9043c80b9e40b481bed683cde7004fe3c8fab6e189956724a611d44f57e40cdd1a2af5528f6d11a2461005b21a43c48991792a1068fc64
-
Filesize
194B
MD574c9637f274e1f916cd362b5add2205b
SHA17fe8f4ab3c5264a8575883c3acb62780a59c4570
SHA256d9b601006bea34374642f39d8e8e834c198cbc912c070d6168d8c88d597c16c5
SHA5125b9473698ab20c5dde8e0271fa8123fd412a532a68a38d3a3e5b11a349c3c60ca07c049f471c34b5672dfcb2004a38858b134f8e72b7944c1a44175b9a3451c2
-
Filesize
194B
MD5cb9c5f96e709d6a318951479d4d3e0ea
SHA1a84d7e558231c5bf414e4de72d97f944c6e85ad3
SHA25694d69ff9295d699de6f22a0326c847948d745ad08960e36d4a5214e5ab7ca482
SHA5120ef15f41467bf39b5f6b3db8f07dbd8da7725aa31eefb9af8eeaaf5d4cb66a264068ba7c0ccbc04356aa2d87e7f31bc3bb762cf59b2ec520d459b50acb85c522
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
194B
MD57e539724821506168f16ff9b186ace9b
SHA1df5cec09abd8e104caa7b1cc07b79f564930f97e
SHA2562b0a9a1c4f9c5b82d4e3adbcab2ffb5cc5c6a1e25ed714c9bda281e724337e30
SHA512585d8336de32c72394dac624ae42416f16213b3090649fadc66949616827d68cc0ff032713b055aa7994bd70a33c8b48400096bf90dc93e648dd747a98b2e42b
-
Filesize
194B
MD5f4b4322fecf9012ee29cf2b82483dad3
SHA135461f741ee9b04e388d7c4acb726a82d93081b5
SHA2562b25676c2cbf0435371cdcddb4d4e24099feb8a3092f2db30b16a54976df9dc9
SHA5121510b653ec98f0f9611624ad52de7c003d1bae1e52b881183daaaeb670b30dda07b4e17aeddcdcd5e5f430d14c5ac3438946e14a5c0992f5c59b2589450c1020
-
Filesize
194B
MD57622b751649aac6f4133407beb171253
SHA10fecb57e8869a4df6fd9462da57dfe09d27cf845
SHA2563894fcd0d34482a111308db3f324f8af8572fb7f141a14da0af43be0f9cd4684
SHA512bb1131b372c38ee4171daae4e0353fd35b7c542a73b1e8f393e3deadb263200c368d1eec0fe41f1da3dc876d28663b3f31fc372c06cc39dc547162490939eb41
-
Filesize
194B
MD5212d77c1e9a1dd20a238d07686bb9140
SHA169bf19fa781f2f5daa95740532687d61690b7f77
SHA25641440039a39519c3fdf49b76907ebc9e6107dc55a677746697762c489d596394
SHA512accf70f6f28df1dd5027b3c3840301b9a87c44bc0e288deebb4cb2da621e26dde2137e5498ba4a4cbda0c364de9cc384c0e5d72886e6e345571a89bef0201310
-
Filesize
194B
MD5db0722ae233b477f453cfe32261f538b
SHA19ed82dbe839a1e49e1bc76bba19d64e5521857ec
SHA256634fc16dfc78423976eafb1336b2d6a0e2104bb147d7450e975281372b303ee9
SHA5124f7cca8369d6e0c1f715879670ee04ee4a9a2742f534048c257cc1ba3535c21350c7130020b972139dc482e494c859543376705eeb27f527b9e793578a2ffbe0
-
Filesize
194B
MD5edef8ca8641bc8a6b6a735162742ff6b
SHA188a862fb69790a3b2c7d4135c67c0d04f7a3e194
SHA256eda597fdb7bf361e4550b875972553987e0f4f4791d06244272b01cef075820e
SHA512703072e4cfbc67da2062ffd90ebaf2e037643957e3242007830d21696ace32b0080e2efb04df55645f59b105dbc98ad30b1ccd76a4917fd12dde9517b644e781
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD583fb0c6199228c53d2c4642ca18bdd8f
SHA118911a03abdd2eb07f2c55bb518005467b93a2c3
SHA25665f22e1671b8e659ec7a563b99b33e6c174f2e9379a908584fe6270290124387
SHA512170fd9e0c2fabfee818bb08f451196e19969abadbde422e987286c0aca65c2a63c80478085842c9655847c78a115ac86a021ed6863b5c6a918c5f719f6610a00
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394